diff --git a/SOURCES/libexec-functions b/SOURCES/libexec-functions
index 990d2b8..98c8631 100644
--- a/SOURCES/libexec-functions
+++ b/SOURCES/libexec-functions
@@ -36,6 +36,8 @@ function parse_config_options()
esac
done
+ unset OPTIND
+
if [ -n "$user" ]; then
SLAPD_USER="$user"
fi
diff --git a/SOURCES/openldap-ITS8720-back-ldap-starttls-timeout.patch b/SOURCES/openldap-ITS8720-back-ldap-starttls-timeout.patch
new file mode 100644
index 0000000..d40fecb
--- /dev/null
+++ b/SOURCES/openldap-ITS8720-back-ldap-starttls-timeout.patch
@@ -0,0 +1,94 @@
+Fix back-ldap to respect the user configured timeout
+
+Upstream: ITS#8720
+Resolves: #1540336
+
+diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h
+index 1e2c14a..e35f622 100644
+--- a/servers/slapd/back-ldap/back-ldap.h
++++ b/servers/slapd/back-ldap/back-ldap.h
+@@ -89,6 +89,7 @@ typedef struct ldapconn_base_t {
+ (BER_BVISEMPTY(&(op)->o_ndn) ? \
+ LDAP_BACK_PCONN_ANON_SET((lc), (op)) : LDAP_BACK_PCONN_ROOTDN_SET((lc), (op)))
+
++ struct ldapinfo_t *lcb_ldapinfo;
+ struct berval lcb_local_ndn;
+ unsigned lcb_refcnt;
+ time_t lcb_create_time;
+@@ -98,6 +99,7 @@ typedef struct ldapconn_base_t {
+ typedef struct ldapconn_t {
+ ldapconn_base_t lc_base;
+ #define lc_conn lc_base.lcb_conn
++#define lc_ldapinfo lc_base.lcb_ldapinfo
+ #define lc_local_ndn lc_base.lcb_local_ndn
+ #define lc_refcnt lc_base.lcb_refcnt
+ #define lc_create_time lc_base.lcb_create_time
+diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
+index ff759d7..7808f7a 100644
+--- a/servers/slapd/back-ldap/bind.c
++++ b/servers/slapd/back-ldap/bind.c
+@@ -532,7 +532,7 @@ ldap_back_start_tls(
+ int *is_tls,
+ const char *url,
+ unsigned flags,
+- int retries,
++ int timeout,
+ const char **text )
+ {
+ int rc = LDAP_SUCCESS;
+@@ -567,22 +567,14 @@ ldap_back_start_tls(
+ LDAPMessage *res = NULL;
+ struct timeval tv;
+
+- LDAP_BACK_TV_SET( &tv );
+-
+-retry:;
++ if ( timeout ) {
++ tv.tv_sec = timeout;
++ tv.tv_usec = 0;
++ } else {
++ LDAP_BACK_TV_SET( &tv );
++ }
+ rc = ldap_result( ld, msgid, LDAP_MSG_ALL, &tv, &res );
+- if ( rc < 0 ) {
+- rc = LDAP_UNAVAILABLE;
+-
+- } else if ( rc == 0 ) {
+- if ( retries != LDAP_BACK_RETRY_NEVER ) {
+- ldap_pvt_thread_yield();
+- if ( retries > 0 ) {
+- retries--;
+- }
+- LDAP_BACK_TV_SET( &tv );
+- goto retry;
+- }
++ if ( rc <= 0 ) {
+ rc = LDAP_UNAVAILABLE;
+
+ } else if ( rc == LDAP_RES_EXTENDED ) {
+@@ -754,7 +746,7 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_
+ assert( li->li_uri_mutex_do_not_lock == 0 );
+ li->li_uri_mutex_do_not_lock = 1;
+ rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls,
+- li->li_uri, flags, li->li_nretries, &rs->sr_text );
++ li->li_uri, flags, li->li_timeout[ SLAP_OP_EXTENDED ], &rs->sr_text );
+ li->li_uri_mutex_do_not_lock = 0;
+ ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex );
+ if ( rs->sr_err != LDAP_SUCCESS ) {
+@@ -980,6 +972,7 @@ retry_lock:
+ lc = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) );
+ lc->lc_flags = li->li_flags;
+ lc->lc_lcflags = lc_curr.lc_lcflags;
++ lc->lc_ldapinfo = li;
+ if ( ldap_back_prepare_conn( lc, op, rs, sendok ) != LDAP_SUCCESS ) {
+ ch_free( lc );
+ return NULL;
+@@ -1649,7 +1642,7 @@ ldap_back_default_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request,
+ const char *text = NULL;
+
+ rc = ldap_back_start_tls( ld, 0, &is_tls, url, lc->lc_flags,
+- LDAP_BACK_RETRY_DEFAULT, &text );
++ lc->lc_ldapinfo->li_timeout[ SLAP_OP_EXTENDED ], &text );
+ if ( rc != LDAP_SUCCESS ) {
+ return rc;
+ }
diff --git a/SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch
new file mode 100644
index 0000000..62af09f
--- /dev/null
+++ b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch
@@ -0,0 +1,227 @@
+ITS#7595 Add Elliptic Curve support for OpenSSL
+
+Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
+Author: Howard Chu <hyc@openldap.org>
+Date: Sat Sep 7 09:47:19 2013 -0700
+
+diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
+index 49a3959ae..9cd0a4dd1 100644
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -918,6 +918,13 @@ from the default, otherwise no certificate exchanges or verification will
+ be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly
+ so this directive is ignored.
+ .TP
++.B olcTLSECName: <name>
++Specify the name of a curve to use for Elliptic curve Diffie-Hellman
++ephemeral key exchange. This is required to enable ECDHE algorithms in
++OpenSSL. This option is not used with GnuTLS; the curves may be
++chosen in the GnuTLS ciphersuite specification. This option is also
++ignored for Mozilla NSS.
++.TP
+ .B olcTLSProtocolMin: <major>[.<minor>]
+ Specifies minimum SSL/TLS protocol version that will be negotiated.
+ If the server doesn't support at least that version,
+diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
+index e2344547e..4eb238162 100644
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -1149,6 +1149,13 @@ from the default, otherwise no certificate exchanges or verification will
+ be done. When using GnuTLS these parameters are always generated randomly so
+ this directive is ignored. This directive is ignored when using Mozilla NSS.
+ .TP
++.B TLSECName <name>
++Specify the name of a curve to use for Elliptic curve Diffie-Hellman
++ephemeral key exchange. This is required to enable ECDHE algorithms in
++OpenSSL. This option is not used with GnuTLS; the curves may be
++chosen in the GnuTLS ciphersuite specification. This option is also
++ignored for Mozilla NSS.
++.TP
+ .B TLSProtocolMin <major>[.<minor>]
+ Specifies minimum SSL/TLS protocol version that will be negotiated.
+ If the server doesn't support at least that version,
+diff --git a/include/ldap.h b/include/ldap.h
+index d4d10fa79..9922c9fa8 100644
+--- a/include/ldap.h
++++ b/include/ldap.h
+@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_NEWCTX 0x600f
+ #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
+ #define LDAP_OPT_X_TLS_PACKAGE 0x6011
++#define LDAP_OPT_X_TLS_ECNAME 0x6012
+ #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY 0x6050
+
+ #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED 0
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 1a26b3cb0..5fff785d8 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -165,6 +165,7 @@ struct ldaptls {
+ char *lt_ciphersuite;
+ char *lt_crlfile;
+ char *lt_randfile; /* OpenSSL only */
++ char *lt_ecname; /* OpenSSL only */
+ int lt_protocol_min;
+ };
+ #endif
+@@ -250,6 +251,7 @@ struct ldapoptions {
+ #define ldo_tls_certfile ldo_tls_info.lt_certfile
+ #define ldo_tls_keyfile ldo_tls_info.lt_keyfile
+ #define ldo_tls_dhfile ldo_tls_info.lt_dhfile
++#define ldo_tls_ecname ldo_tls_info.lt_ecname
+ #define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile
+ #define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
+ #define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index a616133da..f39546450 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -121,6 +121,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
+ LDAP_FREE( lo->ldo_tls_dhfile );
+ lo->ldo_tls_dhfile = NULL;
+ }
++ if ( lo->ldo_tls_ecname ) {
++ LDAP_FREE( lo->ldo_tls_ecname );
++ lo->ldo_tls_ecname = NULL;
++ }
+ if ( lo->ldo_tls_cacertfile ) {
+ LDAP_FREE( lo->ldo_tls_cacertfile );
+ lo->ldo_tls_cacertfile = NULL;
+@@ -257,6 +261,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
+ lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
+ __atoe( lts.lt_dhfile );
+ }
++ if ( lts.lt_ecname ) {
++ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
++ __atoe( lts.lt_ecname );
++ }
+ #endif
+ lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
+ if ( lo->ldo_tls_ctx == NULL ) {
+@@ -282,6 +290,7 @@ error_exit:
+ LDAP_FREE( lts.lt_crlfile );
+ LDAP_FREE( lts.lt_cacertdir );
+ LDAP_FREE( lts.lt_dhfile );
++ LDAP_FREE( lts.lt_ecname );
+ #endif
+ return rc;
+ }
+@@ -674,6 +683,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
+ *(char **)arg = lo->ldo_tls_dhfile ?
+ LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
+ break;
++ case LDAP_OPT_X_TLS_ECNAME:
++ *(char **)arg = lo->ldo_tls_ecname ?
++ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
++ break;
+ case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
+ *(char **)arg = lo->ldo_tls_crlfile ?
+ LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
+@@ -796,6 +809,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
+ if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
+ lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
++ case LDAP_OPT_X_TLS_ECNAME:
++ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
++ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++ return 0;
+ case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
+ if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
+ lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index a2d9cd31f..1a81bc625 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -296,10 +296,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ return -1;
+ }
+
+- if ( lo->ldo_tls_dhfile ) {
+- DH *dh = NULL;
++ if ( is_server && lo->ldo_tls_dhfile ) {
++ DH *dh;
+ BIO *bio;
+- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
+
+ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+@@ -318,7 +317,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ }
+ BIO_free( bio );
+ SSL_CTX_set_tmp_dh( ctx, dh );
++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
++ DH_free( dh );
++ }
++
++#ifdef SSL_OP_SINGLE_ECDH_USE
++ if ( is_server && lo->ldo_tls_ecname ) {
++ EC_KEY *ecdh;
++
++ int nid = OBJ_sn2nid( lt->lt_ecname );
++ if ( nid == NID_undef ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not use EC name `%s'.\n",
++ lo->ldo_tls_ecname,0,0);
++ tlso_report_error();
++ return -1;
++ }
++ ecdh = EC_KEY_new_by_curve_name( nid );
++ if ( ecdh == NULL ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not generate key for EC name `%s'.\n",
++ lo->ldo_tls_ecname,0,0);
++ tlso_report_error();
++ return -1;
++ }
++ SSL_CTX_set_tmp_ecdh( ctx, ecdh );
++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
++ EC_KEY_free( ecdh );
+ }
++#endif
+
+ if ( tlso_opt_trace ) {
+ SSL_CTX_set_info_callback( ctx, tlso_info_cb );
+diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
+index 8ade0c3f2..5a3c67a72 100644
+--- a/servers/slapd/bconfig.c
++++ b/servers/slapd/bconfig.c
+@@ -194,6 +194,7 @@ enum {
+ CFG_ACL_ADD,
+ CFG_SYNC_SUBENTRY,
+ CFG_LTHREADS,
++ CFG_TLS_ECNAME,
+
+ CFG_LAST
+ };
+@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
+ #endif
+ "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
++ { "TLSECName", NULL, 2, 2, 0,
++#ifdef HAVE_TLS
++ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
++#else
++ ARG_IGNORED, NULL,
++#endif
++ "( OLcfgGlAt:96 NAME 'olcTLSECName' "
++ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ { "TLSProtocolMin", NULL, 2, 2, 0,
+ #ifdef HAVE_TLS
+ CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
+@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
+ "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
+ "olcTLSCACertificatePath $ olcTLSCertificateFile $ "
+ "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
+- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
++ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
+ "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
+ "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
+ "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
+@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
+ case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break;
+ case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break;
+ case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break;
++ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break;
+ #ifdef HAVE_GNUTLS
+ case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;
+ #endif
diff --git a/SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch
new file mode 100644
index 0000000..6c28f3f
--- /dev/null
+++ b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch
@@ -0,0 +1,34 @@
+ITS#7595 don't try to use EC if OpenSSL lacks it
+
+Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
+Author: Howard Chu <hyc@openldap.org>
+Date: Sun Sep 8 06:32:23 2013 -0700
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 1a81bc625..71c2b055c 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ DH_free( dh );
+ }
+
+-#ifdef SSL_OP_SINGLE_ECDH_USE
+ if ( is_server && lo->ldo_tls_ecname ) {
++#ifdef OPENSSL_NO_EC
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: Elliptic Curves not supported.\n", 0,0,0 );
++ return -1;
++#else
+ EC_KEY *ecdh;
+
+ int nid = OBJ_sn2nid( lt->lt_ecname );
+@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ SSL_CTX_set_tmp_ecdh( ctx, ecdh );
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
+ EC_KEY_free( ecdh );
+- }
+ #endif
++ }
+
+ if ( tlso_opt_trace ) {
+ SSL_CTX_set_info_callback( ctx, tlso_info_cb );
diff --git a/SOURCES/openldap-openssl-its7506-fix-DH-params-1.patch b/SOURCES/openldap-openssl-its7506-fix-DH-params-1.patch
new file mode 100644
index 0000000..5e105e2
--- /dev/null
+++ b/SOURCES/openldap-openssl-its7506-fix-DH-params-1.patch
@@ -0,0 +1,219 @@
+commit aa6c4c5a7425d5fb21c5e3f10cb025fb930d79c8
+Author: Ben Jencks <ben@bjencks.net>
+Date: Sun Jan 27 18:27:03 2013 -0500
+
+ ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage.
+
+ If a DHParamFile or olcDHParamFile is specified, then it will be used,
+ otherwise a hardcoded 1024 bit parameter will be used. This allows the use of
+ larger parameters; previously only 512 or 1024 bit parameters would ever be
+ used.
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 48ce1ceab..c6a3540c9 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -59,15 +59,13 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx );
+ static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx );
+ static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length );
+
+-static DH * tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length );
+-
+-typedef struct dhplist {
+- struct dhplist *next;
+- int keylength;
+- DH *param;
+-} dhplist;
+-
+-static dhplist *tlso_dhparams;
++/* From the OpenSSL 0.9.7 distro */
++static const char tlso_dhpem1024[] =
++"-----BEGIN DH PARAMETERS-----\n\
++MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\
++/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\
++/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\
++-----END DH PARAMETERS-----\n";
+
+ static int tlso_seed_PRNG( const char *randfile );
+
+@@ -76,7 +74,6 @@ static int tlso_seed_PRNG( const char *randfile );
+ * provide mutexes for the OpenSSL library.
+ */
+ static ldap_pvt_thread_mutex_t tlso_mutexes[CRYPTO_NUM_LOCKS];
+-static ldap_pvt_thread_mutex_t tlso_dh_mutex;
+
+ static void tlso_locking_cb( int mode, int type, const char *file, int line )
+ {
+@@ -107,7 +104,6 @@ static void tlso_thr_init( void )
+ for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) {
+ ldap_pvt_thread_mutex_init( &tlso_mutexes[i] );
+ }
+- ldap_pvt_thread_mutex_init( &tlso_dh_mutex );
+ CRYPTO_set_locking_callback( tlso_locking_cb );
+ CRYPTO_set_id_callback( tlso_thread_self );
+ }
+@@ -308,28 +304,32 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ return -1;
+ }
+
+- if ( lo->ldo_tls_dhfile ) {
++ if (is_server) {
+ DH *dh = NULL;
+ BIO *bio;
+- dhplist *p;
++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
++ if ( lo->ldo_tls_dhfile ) {
+
+- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
++ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not use DH parameters file `%s'.\n",
++ lo->ldo_tls_dhfile,0,0);
++ tlso_report_error();
++ return -1;
++ }
++ } else {
++ bio = BIO_new_mem_buf( tlso_dhpem1024, -1 );
++ }
++ if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) {
+ Debug( LDAP_DEBUG_ANY,
+- "TLS: could not use DH parameters file `%s'.\n",
++ "TLS: could not read DH parameters file `%s'.\n",
+ lo->ldo_tls_dhfile,0,0);
+ tlso_report_error();
++ BIO_free( bio );
+ return -1;
+ }
+- while (( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) {
+- p = LDAP_MALLOC( sizeof(dhplist) );
+- if ( p != NULL ) {
+- p->keylength = DH_size( dh ) * 8;
+- p->param = dh;
+- p->next = tlso_dhparams;
+- tlso_dhparams = p;
+- }
+- }
+ BIO_free( bio );
++ SSL_CTX_set_tmp_dh( ctx, dh );
+ }
+
+ if ( tlso_opt_trace ) {
+@@ -349,9 +349,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ?
+ tlso_verify_ok : tlso_verify_cb );
+ SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
+- if ( lo->ldo_tls_dhfile ) {
+- SSL_CTX_set_tmp_dh_callback( ctx, tlso_tmp_dh_cb );
+- }
+ #ifdef HAVE_OPENSSL_CRL
+ if ( lo->ldo_tls_crlcheck ) {
+ X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx );
+@@ -1160,108 +1157,6 @@ tlso_seed_PRNG( const char *randfile )
+ return 0;
+ }
+
+-struct dhinfo {
+- int keylength;
+- const char *pem;
+- size_t size;
+-};
+-
+-
+-/* From the OpenSSL 0.9.7 distro */
+-static const char tlso_dhpem512[] =
+-"-----BEGIN DH PARAMETERS-----\n\
+-MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn\n\
+-a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC\n\
+------END DH PARAMETERS-----\n";
+-
+-static const char tlso_dhpem1024[] =
+-"-----BEGIN DH PARAMETERS-----\n\
+-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\
+-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\
+-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\
+------END DH PARAMETERS-----\n";
+-
+-static const char tlso_dhpem2048[] =
+-"-----BEGIN DH PARAMETERS-----\n\
+-MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o\n\
+-AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh\n\
+-z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo\n\
+-pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW\n\
+-aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA\n\
+-Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==\n\
+------END DH PARAMETERS-----\n";
+-
+-static const char tlso_dhpem4096[] =
+-"-----BEGIN DH PARAMETERS-----\n\
+-MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7\n\
+-vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H\n\
+-TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF\n\
+-bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1\n\
+-rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE\n\
+-EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9\n\
+-bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3\n\
+-W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH\n\
+-ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb\n\
+-NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR\n\
+-jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=\n\
+------END DH PARAMETERS-----\n";
+-
+-static const struct dhinfo tlso_dhpem[] = {
+- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
+- { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
+- { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
+- { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
+- { 0, NULL, 0 }
+-};
+-
+-static DH *
+-tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length )
+-{
+- struct dhplist *p = NULL;
+- BIO *b = NULL;
+- DH *dh = NULL;
+- int i;
+-
+- /* Do we have params of this length already? */
+- LDAP_MUTEX_LOCK( &tlso_dh_mutex );
+- for ( p = tlso_dhparams; p; p=p->next ) {
+- if ( p->keylength == key_length ) {
+- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
+- return p->param;
+- }
+- }
+-
+- /* No - check for hardcoded params */
+-
+- for (i=0; tlso_dhpem[i].keylength; i++) {
+- if ( tlso_dhpem[i].keylength == key_length ) {
+- b = BIO_new_mem_buf( (char *)tlso_dhpem[i].pem, tlso_dhpem[i].size );
+- break;
+- }
+- }
+-
+- if ( b ) {
+- dh = PEM_read_bio_DHparams( b, NULL, NULL, NULL );
+- BIO_free( b );
+- }
+-
+- /* Generating on the fly is expensive/slow... */
+- if ( !dh ) {
+- dh = DH_generate_parameters( key_length, DH_GENERATOR_2, NULL, NULL );
+- }
+- if ( dh ) {
+- p = LDAP_MALLOC( sizeof(struct dhplist) );
+- if ( p != NULL ) {
+- p->keylength = key_length;
+- p->param = dh;
+- p->next = tlso_dhparams;
+- tlso_dhparams = p;
+- }
+- }
+-
+- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
+- return dh;
+-}
+
+ tls_impl ldap_int_tls_impl = {
+ "OpenSSL",
diff --git a/SOURCES/openldap-openssl-its7506-fix-DH-params-2.patch b/SOURCES/openldap-openssl-its7506-fix-DH-params-2.patch
new file mode 100644
index 0000000..799c6e5
--- /dev/null
+++ b/SOURCES/openldap-openssl-its7506-fix-DH-params-2.patch
@@ -0,0 +1,58 @@
+commit eacd5798a5d83e6658a823c01bcb0f600e3b9898
+Author: Howard Chu <hyc@openldap.org>
+Date: Sat Sep 7 06:39:53 2013 -0700
+
+ ITS#7506 fix prev commit
+
+ The patch unconditionally enabled DHparams, which is a significant
+ change of behavior. Reverting to previous behavior, which only enables
+ DH use if a DHparam file was configured.
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index c6a3540c9..a2d9cd31f 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -59,14 +59,6 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx );
+ static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx );
+ static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length );
+
+-/* From the OpenSSL 0.9.7 distro */
+-static const char tlso_dhpem1024[] =
+-"-----BEGIN DH PARAMETERS-----\n\
+-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\
+-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\
+-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\
+------END DH PARAMETERS-----\n";
+-
+ static int tlso_seed_PRNG( const char *randfile );
+
+ #ifdef LDAP_R_COMPILE
+@@ -304,21 +296,17 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ return -1;
+ }
+
+- if (is_server) {
++ if ( lo->ldo_tls_dhfile ) {
+ DH *dh = NULL;
+ BIO *bio;
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
+- if ( lo->ldo_tls_dhfile ) {
+
+- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
+- Debug( LDAP_DEBUG_ANY,
+- "TLS: could not use DH parameters file `%s'.\n",
+- lo->ldo_tls_dhfile,0,0);
+- tlso_report_error();
+- return -1;
+- }
+- } else {
+- bio = BIO_new_mem_buf( tlso_dhpem1024, -1 );
++ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not use DH parameters file `%s'.\n",
++ lo->ldo_tls_dhfile,0,0);
++ tlso_report_error();
++ return -1;
+ }
+ if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) {
+ Debug( LDAP_DEBUG_ANY,
diff --git a/SOURCES/openldap-tlsmc.patch b/SOURCES/openldap-tlsmc.patch
index 405e54f..6d327ec 100644
--- a/SOURCES/openldap-tlsmc.patch
+++ b/SOURCES/openldap-tlsmc.patch
@@ -1,7 +1,7 @@
MozNSS Interception Code
Author: Matus Honek <mhonek@redhat.com>
-Date: Wed Feb 21 20:04:11 CET 2018
+Date: Thu Jun 21 20:37:25 CEST 2018
diff --git a/configure.in b/configure.in
--- a/configure.in
+++ b/configure.in
@@ -283,7 +283,7 @@ diff --git a/libraries/libldap/tls_mc.c b/libraries/libldap/tls_mc.c
new file mode 100644
--- /dev/null
+++ b/libraries/libldap/tls_mc.c
-@@ -0,0 +1,1346 @@
+@@ -0,0 +1,1369 @@
+#include "portable.h"
+
+#ifdef HAVE_MOZNSS_COMPATIBILITY
@@ -330,16 +330,16 @@ new file mode 100644
+#define TLSMC_IS_TEMPORARY 2
+
+#define DONOTEDIT \
-+ "This file is auto-generated by MOZNSS Compatibility Layer of OpenLDAP software.\n" \
-+ "This layer is not a part of upstream distributed OpenLDAP software.\n" \
-+ "Please, file any related bugs with your GNU/Linux distribution.\n" \
-+ "Do not edit directly. Rather, change your configuration to use OpenSSL-style TLS options, so that this does not need to be generated anymore.\n" \
-+ "Please, refer to man (5) of slapd.conf, slapd-config, and ldap.conf for more information."
++ "This file is auto-generated by the MozNSS Compatibility Layer of OpenLDAP software.\n" \
++ "This layer is not part of the OpenLDAP software distributed in upstream.\n" \
++ "Please file any related bugs with your GNU/Linux distribution.\n" \
++ "Do not edit contents of this directory structure directly. Rather, change your configuration to use the OpenSSL-style TLS options, so that this directory structure does not need to be generated anymore.\n" \
++ "Please refer to the slapd.conf(5), slapd-config(5), and ldap.conf(5) man pages for more information."
+#define PEM_CERT_HEADER "-----BEGIN CERTIFICATE-----"
+#define PEM_CERT_FOOTER "-----END CERTIFICATE-----"
+#define PEM_KEY_HEADER "-----BEGIN PRIVATE KEY-----"
+#define PEM_KEY_FOOTER "-----END PRIVATE KEY-----"
-+#define README_HEADER "Contents of this file are hashed and used as a part of a name of the parent directory.\n"
++#define README_HEADER "The contents of this file are hashed and used as part of the name of the parent directory.\n"
+
+#ifdef LDAP_R_COMPILE
+ldap_pvt_thread_mutex_t tlsmc_mutex;
@@ -365,23 +365,33 @@ new file mode 100644
+ int rv = 0;
+ int fd = -1;
+ if ( 0 > ( fd = open( filename, O_WRONLY | O_CREAT | O_EXCL, S_IWUSR ) ) ) {
-+ perror("IO ERROR: could not open file");
++ Debug( LDAP_DEBUG_ANY,
++ "tlsmc_write_file: ERROR: could not open file: `%s': %s.\n",
++ filename, strerror(errno), 0 );
+ goto bail;
+ }
+ if ( -1 >= write( fd, buf, strlen(buf) ) ) {
-+ perror("IO ERROR: could not write file");
++ Debug( LDAP_DEBUG_ANY,
++ "tlsmc_write_file: ERROR: could not write file: `%s': %s.\n",
++ filename, strerror(errno), 0 );
+ goto bail;
+ }
+ if ( -1 >= fchmod( fd, final_mode ) ) {
-+ perror("IO ERROR: could not set file mode");
++ Debug( LDAP_DEBUG_ANY,
++ "tlsmc_write_file: ERROR: could not set file mode: `%s': %s.\n",
++ filename, strerror(errno), 0 );
+ goto bail;
+ }
+ if ( -1 >= fsync( fd ) ) {
-+ perror("IO ERROR: could not fsync the file");
++ Debug( LDAP_DEBUG_ANY,
++ "tlsmc_write_file: ERROR: could not fsync file: `%s': %s.\n",
++ filename, strerror(errno), 0 );
+ goto bail;
+ }
+ if ( 0 > close( fd ) ) {
-+ perror("IO ERROR: could not close file");
++ Debug( LDAP_DEBUG_ANY,
++ "tlsmc_write_file: ERROR: could not close file: `%s': %s.\n",
++ filename, strerror(errno), 0 );
+ fd = -1;
+ goto bail;
+ }
@@ -845,7 +855,9 @@ new file mode 100644
+ goto bail;
+ }
+ if ( 0 == strftime(stime, sizeof(stime), "%FT%T", localtime(&attr.st_mtime)) ) {
-+ perror("IO ERROR: could not format mtime");
++ Debug( LDAP_DEBUG_ANY,
++ "tlsmc_filestamp: ERROR: could not format mtime: %s.\n",
++ strerror(errno), 0, 0 );
+ goto bail;
+ }
+
@@ -930,9 +942,8 @@ new file mode 100644
+
+ if ( 0 != mkdir( dir, S_IRWXU /* u+rwx */ ) ) {
+ Debug( LDAP_DEBUG_ANY,
-+ "tlsmc_prepare_dir: WARN: cound not create the PEM directory.\n",
++ "tlsmc_prepare_dir: WARN: could not create the PEM directory.\n",
+ 0, 0, 0 );
-+ perror( "tlsmc_prepare_dir: WARN: cound not create the PEM directory" );
+ rv = 0;
+ goto bail;
+ }
@@ -943,9 +954,8 @@ new file mode 100644
+ cacerts_dir = PR_smprintf( "%s/%s", dir, TLSMC_CACERTS_DIR_NAME );
+ if ( 0 != mkdir( cacerts_dir, S_IRWXU /* u+rwx */ ) ) {
+ Debug( LDAP_DEBUG_ANY,
-+ "tlsmc_prepare_dir: WARN: cound not create the subdirectory.\n",
++ "tlsmc_prepare_dir: WARN: could not create the subdirectory.\n",
+ 0, 0, 0 );
-+ perror( "tlsmc_prepare_dir: WARN: cound not create the subdirectory" );
+ rv = 0;
+ goto bail;
+ }
@@ -1236,11 +1246,15 @@ new file mode 100644
+ "tlsmc_extract_cert_key_pair: INFO: symlinking certificate file `%s' to file `%s'.\n",
+ nickname, cert_file_path, 0 );
+ if ( NULL == ( file_realpath = realpath( nickname, NULL ) ) ) {
-+ perror( "Could not get the realpath" );
++ Debug( LDAP_DEBUG_ANY,
++ "tlsmc_extract_cert_key_pair: ERROR: could not get realpath of certificate file `%s'.\n",
++ nickname, 0, 0 );
+ goto bail;
+ }
+ if ( -1 == symlink( file_realpath, cert_file_path ) ) {
-+ perror( "Could not create a symlink" );
++ Debug( LDAP_DEBUG_ANY,
++ "tlsmc_extract_cert_key_pair: ERROR: could not create a symlink of `%s' to `%s'.\n",
++ file_realpath, cert_file_path, 0 );
+ goto bail;
+ }
+ if ( file_realpath ) free( file_realpath );
@@ -1249,11 +1263,15 @@ new file mode 100644
+ "tlsmc_extract_cert_key_pair: INFO: symlinking PK file `%s' to file `%s'.\n",
+ pin_filename, key_file_path, 0 );
+ if ( NULL == ( file_realpath = realpath( pin_filename, NULL ) ) ) {
-+ perror( "Could not get the realpath" );
++ Debug( LDAP_DEBUG_ANY,
++ "tlsmc_extract_cert_key_pair: ERROR: could not get realpath of PK file `%s'.\n",
++ pin_filename, 0, 0 );
+ goto bail;
+ }
+ if ( -1 == symlink( file_realpath, key_file_path ) ) {
-+ perror( "Could not create a symlink" );
++ Debug( LDAP_DEBUG_ANY,
++ "tlsmc_extract_cert_key_pair: ERROR: could not create a symlink of `%s' to `%s'.\n",
++ file_realpath, key_file_path, 0 );
+ goto bail;
+ }
+ }
@@ -1525,6 +1543,7 @@ new file mode 100644
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_convert: WARN: extracted cacerts dir is not present.\n",
+ 0, 0, 0 );
++ if ( *ld_cacertdir ) PR_smprintf_free( *ld_cacertdir );
+ *ld_cacertdir = NULL;
+ }
+
@@ -1536,6 +1555,7 @@ new file mode 100644
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_convert: WARN: extracted cert file is not present.\n",
+ 0, 0, 0 );
++ if ( *ld_cert ) PR_smprintf_free( *ld_cert );
+ *ld_cert = NULL;
+ }
+
@@ -1547,13 +1567,16 @@ new file mode 100644
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_convert: WARN: extracted key file is not present.\n",
+ 0, 0, 0 );
++ if ( *ld_key ) PR_smprintf_free( *ld_key );
+ *ld_key = NULL;
+ }
+
+ rv = 1;
+
+bail:
++ if ( checksum ) free( checksum );
+ if ( pem_dir ) PR_smprintf_free( pem_dir );
++ if ( readme_path ) PR_smprintf_free( readme_path );
+ if ( data ) free( data );
+ if ( nssdb_prefix ) free( nssdb_prefix );
+ if ( nssdb_dir_path ) free( nssdb_dir_path );
diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec
index 85abac9..9252ea6 100644
--- a/SPECS/openldap.spec
+++ b/SPECS/openldap.spec
@@ -5,7 +5,7 @@
Name: openldap
Version: 2.4.44
-Release: 15%{?dist}
+Release: 20%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
@@ -53,6 +53,13 @@ Patch25: openldap-man-ldap-conf.patch
Patch35: openldap-ITS8428-init-sc_writewait.patch
Patch36: openldap-bdb_idl_fetch_key-correct-key-pointer.patch
Patch37: openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch
+Patch38: openldap-ITS8720-back-ldap-starttls-timeout.patch
+
+# fixes for DH and ECDH
+Patch50: openldap-openssl-its7506-fix-DH-params-1.patch
+Patch51: openldap-openssl-its7506-fix-DH-params-2.patch
+Patch52: openldap-openssl-ITS7595-Add-EC-support-1.patch
+Patch53: openldap-openssl-ITS7595-Add-EC-support-2.patch
# check-password module specific patches
Patch90: check-password-makefile.patch
@@ -175,6 +182,11 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch35 -p1
%patch36 -p1
%patch37 -p1
+%patch38 -p1
+%patch50 -p1
+%patch51 -p1
+%patch52 -p1
+%patch53 -p1
%patch102 -p1
@@ -217,7 +229,7 @@ popd
export LDFLAGS="-pie"
# avoid stray dependencies (linker flag --as-needed)
# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)
-export CFLAGS="${CFLAGS} %{optflags} -Wl,-z,relro,-z,now,--as-needed -DLDAP_CONNECTIONLESS"
+export CFLAGS="${CFLAGS} %{optflags} -Wl,-z,relro,-z,now,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS"
pushd openldap-%{version}
%configure \
@@ -660,11 +672,26 @@ exit 0
%{_mandir}/man3/*
%changelog
-* Tue Apr 3 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-15
-- Bump release to version 2.4.44-15
+* Tue Aug 21 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-20
+- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1584922)
+
+* Tue Aug 14 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-19
+- Backport upstream fixes for ITS 7506 - fix OpenSSL DH params usage (#1584922)
+
+* Thu Jun 21 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-18
+- MozNSS Compat. Layer: Make log messages more clear (#1543955)
+- Build with LDAP_USE_NON_BLOCKING_TLS (#1471039)
+
+* Thu Jun 21 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-17
+- MozNSS Compat. Layer: Fix memleaks reported by valgrind (#1575549)
+- Reset OPTIND in libexec/functions for getopts to work in subsequent calls (#1564382)
+- MozNSS Compat. Layer: Fix typos, and spelling in the README file header (#1543451)
+
+* Wed Apr 4 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-16
+- fix: back-ldap StartTLS short connection timeout with high latency connections (#1540336)
* Thu Mar 29 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-14
-- MozNSS Compat. Layer: Enforce fail when cannot extract CA certs (#1563080)
+- MozNSS Compat. Layer: Enforce fail when cannot extract CA certs (#1547922)
* Wed Jan 31 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-13
- MozNSS Compat. Layer: fix recursive directory deletion (#1516409)