From 10ec64288dcc25fd855bc05601bc4794ecea2003 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Tue, 6 Feb 2018 19:49:22 +0100
Subject: [PATCH] Ticket 49560 - nsslapd-extract-pemfiles should be enabled by
 default as openldap is moving to openssl

Bug Description:
	Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL),
	the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE,
	need to specify path to PEM files.

	Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx

	Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'.

	The default value is 'off', that prevent secure outgoing connection.

Fix Description:

	Enable nsslapd-extract-pemfiles by default
	Then when establishing an outgoing connection, if it is not using NSS crypto layer
	and the pem files have been extracted then use the PEM files

https://pagure.io/389-ds-base/issue/49560

Reviewed by: mreynolds & mhonek

Platforms tested: RHEL 7.5

Flag Day: no

Doc impact: no

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
(cherry picked from commit 8304caec593b591558c9c18de9bcb6b2f23db5b6)
---
 ldap/servers/slapd/ldaputil.c | 32 ++++++++++++++++----------------
 ldap/servers/slapd/libglobs.c |  2 +-
 ldap/servers/slapd/ssl.c      |  2 +-
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index 2fc2f0615..fcf22e632 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -591,7 +591,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
         slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
                       "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
     }
-    if (slapi_client_uses_non_nss(ld)) {
+    if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {
         cacert = slapi_get_cacertfile();
         if (cacert) {
             /* CA Cert PEM file exists.  Set the path to openldap option. */
@@ -602,21 +602,21 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
                               cacert, rc, ldap_err2string(rc));
             }
         }
-        if (slapi_client_uses_openssl(ld)) {
-            int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
-            tls_check_crl_t tls_check_state = config_get_tls_check_crl();
-            if (tls_check_state == TLS_CHECK_PEER) {
-                crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
-            } else if (tls_check_state == TLS_CHECK_ALL) {
-                crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
-            }
-            /* Sets the CRL evaluation strategy. */
-            rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
-            if (rc) {
-                slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
-                              "Could not set CRLCHECK [%d]: %d:%s\n",
-                              crlcheck, rc, ldap_err2string(rc));
-            }
+    }
+    if (slapi_client_uses_openssl(ld)) {
+        int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
+        tls_check_crl_t tls_check_state = config_get_tls_check_crl();
+        if (tls_check_state == TLS_CHECK_PEER) {
+            crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
+        } else if (tls_check_state == TLS_CHECK_ALL) {
+            crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
+        }
+        /* Sets the CRL evaluation strategy. */
+        rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
+        if (rc) {
+            slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
+                    "Could not set CRLCHECK [%d]: %d:%s\n",
+                    crlcheck, rc, ldap_err2string(rc));
         }
     }
     /* tell it where our cert db/file is */
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index eb6552af1..3bd5c1826 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1688,7 +1688,7 @@ FrontendConfig_init(void)
     init_malloc_mmap_threshold = cfg->malloc_mmap_threshold = DEFAULT_MALLOC_UNSET;
 #endif
 
-    init_extract_pem = cfg->extract_pem = LDAP_OFF;
+    init_extract_pem = cfg->extract_pem = LDAP_ON;
 
     /* Done, unlock!  */
     CFG_UNLOCK_WRITE(cfg);
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 52ac7ea9f..36b09fd16 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -2462,7 +2462,7 @@ slapd_SSL_client_auth(LDAP *ld)
                            errorCode, slapd_pr_strerror(errorCode));
         } else {
 #if defined(USE_OPENLDAP)
-            if (slapi_client_uses_non_nss(ld)) {
+            if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {
                 char *certdir = config_get_certdir();
                 char *keyfile = NULL;
                 char *certfile = NULL;
-- 
2.13.6