rpms / 389-ds-base

Clone
Source Code
GIT

Blame SOURCES/0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-1.4 c8-stream-1.4 c8s-stream-1.4 c8s-stream-ds c9 c9-beta
  1.   7af0dc8fbc34339ad481267fea0d5b4faa7584a4
  2.   SOURCES
  3.   0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch
Blob History Raw
081b2d 
From 10ec64288dcc25fd855bc05601bc4794ecea2003 Mon Sep 17 00:00:00 2001
081b2d 
From: Thierry Bordaz <tbordaz@redhat.com>
081b2d 
Date: Tue, 6 Feb 2018 19:49:22 +0100
081b2d 
Subject: [PATCH] Ticket 49560 - nsslapd-extract-pemfiles should be enabled by
081b2d 
 default as openldap is moving to openssl
081b2d
081b2d 
Bug Description:
081b2d 
	Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL),
081b2d 
	the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE,
081b2d 
	need to specify path to PEM files.
081b2d
081b2d 
	Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx
081b2d
081b2d 
	Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'.
081b2d
081b2d 
	The default value is 'off', that prevent secure outgoing connection.
081b2d
081b2d 
Fix Description:
081b2d
081b2d 
	Enable nsslapd-extract-pemfiles by default
081b2d 
	Then when establishing an outgoing connection, if it is not using NSS crypto layer
081b2d 
	and the pem files have been extracted then use the PEM files
081b2d
081b2d 
https://pagure.io/389-ds-base/issue/49560
081b2d
081b2d 
Reviewed by: mreynolds & mhonek
081b2d
081b2d 
Platforms tested: RHEL 7.5
081b2d
081b2d 
Flag Day: no
081b2d
081b2d 
Doc impact: no
081b2d
081b2d 
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
081b2d 
(cherry picked from commit 8304caec593b591558c9c18de9bcb6b2f23db5b6)
081b2d 
---
081b2d 
 ldap/servers/slapd/ldaputil.c | 32 ++++++++++++++++----------------
081b2d 
 ldap/servers/slapd/libglobs.c |  2 +-
081b2d 
 ldap/servers/slapd/ssl.c      |  2 +-
081b2d 
 3 files changed, 18 insertions(+), 18 deletions(-)
081b2d
081b2d 
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
081b2d 
index 2fc2f0615..fcf22e632 100644
081b2d 
--- a/ldap/servers/slapd/ldaputil.c
081b2d 
+++ b/ldap/servers/slapd/ldaputil.c
081b2d 
@@ -591,7 +591,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
081b2d 
         slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
081b2d 
                       "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
081b2d 
     }
081b2d 
-    if (slapi_client_uses_non_nss(ld)) {
081b2d 
+    if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {
081b2d 
         cacert = slapi_get_cacertfile();
081b2d 
         if (cacert) {
081b2d 
             /* CA Cert PEM file exists.  Set the path to openldap option. */
081b2d 
@@ -602,21 +602,21 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
081b2d 
                               cacert, rc, ldap_err2string(rc));
081b2d 
             }
081b2d 
         }
081b2d 
-        if (slapi_client_uses_openssl(ld)) {
081b2d 
-            int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
081b2d 
-            tls_check_crl_t tls_check_state = config_get_tls_check_crl();
081b2d 
-            if (tls_check_state == TLS_CHECK_PEER) {
081b2d 
-                crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
081b2d 
-            } else if (tls_check_state == TLS_CHECK_ALL) {
081b2d 
-                crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
081b2d 
-            }
081b2d 
-            /* Sets the CRL evaluation strategy. */
081b2d 
-            rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
081b2d 
-            if (rc) {
081b2d 
-                slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
081b2d 
-                              "Could not set CRLCHECK [%d]: %d:%s\n",
081b2d 
-                              crlcheck, rc, ldap_err2string(rc));
081b2d 
-            }
081b2d 
+    }
081b2d 
+    if (slapi_client_uses_openssl(ld)) {
081b2d 
+        int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
081b2d 
+        tls_check_crl_t tls_check_state = config_get_tls_check_crl();
081b2d 
+        if (tls_check_state == TLS_CHECK_PEER) {
081b2d 
+            crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
081b2d 
+        } else if (tls_check_state == TLS_CHECK_ALL) {
081b2d 
+            crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
081b2d 
+        }
081b2d 
+        /* Sets the CRL evaluation strategy. */
081b2d 
+        rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
081b2d 
+        if (rc) {
081b2d 
+            slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
081b2d 
+                    "Could not set CRLCHECK [%d]: %d:%s\n",
081b2d 
+                    crlcheck, rc, ldap_err2string(rc));
081b2d 
         }
081b2d 
     }
081b2d 
     /* tell it where our cert db/file is */
081b2d 
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
081b2d 
index eb6552af1..3bd5c1826 100644
081b2d 
--- a/ldap/servers/slapd/libglobs.c
081b2d 
+++ b/ldap/servers/slapd/libglobs.c
081b2d 
@@ -1688,7 +1688,7 @@ FrontendConfig_init(void)
081b2d 
     init_malloc_mmap_threshold = cfg->malloc_mmap_threshold = DEFAULT_MALLOC_UNSET;
081b2d 
 #endif
081b2d
081b2d 
-    init_extract_pem = cfg->extract_pem = LDAP_OFF;
081b2d 
+    init_extract_pem = cfg->extract_pem = LDAP_ON;
081b2d
081b2d 
     /* Done, unlock!  */
081b2d 
     CFG_UNLOCK_WRITE(cfg);
081b2d 
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
081b2d 
index 52ac7ea9f..36b09fd16 100644
081b2d 
--- a/ldap/servers/slapd/ssl.c
081b2d 
+++ b/ldap/servers/slapd/ssl.c
081b2d 
@@ -2462,7 +2462,7 @@ slapd_SSL_client_auth(LDAP *ld)
081b2d 
                            errorCode, slapd_pr_strerror(errorCode));
081b2d 
         } else {
081b2d 
 #if defined(USE_OPENLDAP)
081b2d 
-            if (slapi_client_uses_non_nss(ld)) {
081b2d 
+            if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {
081b2d 
                 char *certdir = config_get_certdir();
081b2d 
                 char *keyfile = NULL;
081b2d 
                 char *certfile = NULL;
081b2d 
--
081b2d 
2.13.6
081b2d

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation