On Sun, Nov 29, 2020 at 12:23:51AM +0100, Theo Buehler wrote: > On Sun, Nov 29, 2020 at 12:00:29AM +0100, Martijn van Duren wrote: > > On Sat, 2020-11-28 at 23:08 +0100, Theo Buehler wrote: > > > > "If the certificate name is an absolute path, a .crt and .key > > > > extension are appended to form the certificate path and key path > > > > respectively." > > > > This part does not seem to work at all. > > > > Neither it tries to search certificates using the absolute path nor > > > > it tries to append .crt or .key extension to the absolute path when no > > > > extension is used in config. > > > > > > > > Or I do it completely wrong? > > > > > > It's a bug. If the certificate path is absolute, faulty short-circuiting > > > logic would result in first correctly appending ".crt" to the path, then > > > incorrectly prepending "/etc/ldap/cert". > > > > > > You can see the problem with a config containing > > > > > > listen on lo0 port 6636 tls certificate "/bogus/lo0" > > > > > > $ ldapd -vv -f ldapd.conf -n > > > ... > > > loading certificate file /etc/ldap/certs//bogus/lo0.crt > > > ldapd.conf:5: cannot load certificate: /bogus/lo0 > > > ... > > > > > > The diff below avoids calling bsnprintf() twice for an absolute > > > certificate path. > > > > > > > Wouldn't it be more future idiot proof if we were a little more verbose? > > But if you prefer, your diff also looks good to me. > > I have no strong preference either way (I would probably use yours if it > were my code). Feel free to go ahead with your diff and my ok after > giving jmatthew a bit of time to respond.
I'm ok with either, but I prefer Martijn's diff.
