Blame SOURCES/0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch

058656
From 10ec64288dcc25fd855bc05601bc4794ecea2003 Mon Sep 17 00:00:00 2001
058656
From: Thierry Bordaz <tbordaz@redhat.com>
058656
Date: Tue, 6 Feb 2018 19:49:22 +0100
058656
Subject: [PATCH] Ticket 49560 - nsslapd-extract-pemfiles should be enabled by
058656
 default as openldap is moving to openssl
058656
058656
Bug Description:
058656
	Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL),
058656
	the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE,
058656
	need to specify path to PEM files.
058656
058656
	Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx
058656
058656
	Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'.
058656
058656
	The default value is 'off', that prevent secure outgoing connection.
058656
058656
Fix Description:
058656
058656
	Enable nsslapd-extract-pemfiles by default
058656
	Then when establishing an outgoing connection, if it is not using NSS crypto layer
058656
	and the pem files have been extracted then use the PEM files
058656
058656
https://pagure.io/389-ds-base/issue/49560
058656
058656
Reviewed by: mreynolds & mhonek
058656
058656
Platforms tested: RHEL 7.5
058656
058656
Flag Day: no
058656
058656
Doc impact: no
058656
058656
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
058656
(cherry picked from commit 8304caec593b591558c9c18de9bcb6b2f23db5b6)
058656
---
058656
 ldap/servers/slapd/ldaputil.c | 32 ++++++++++++++++----------------
058656
 ldap/servers/slapd/libglobs.c |  2 +-
058656
 ldap/servers/slapd/ssl.c      |  2 +-
058656
 3 files changed, 18 insertions(+), 18 deletions(-)
058656
058656
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
058656
index 2fc2f0615..fcf22e632 100644
058656
--- a/ldap/servers/slapd/ldaputil.c
058656
+++ b/ldap/servers/slapd/ldaputil.c
058656
@@ -591,7 +591,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
058656
         slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
058656
                       "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
058656
     }
058656
-    if (slapi_client_uses_non_nss(ld)) {
058656
+    if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {
058656
         cacert = slapi_get_cacertfile();
058656
         if (cacert) {
058656
             /* CA Cert PEM file exists.  Set the path to openldap option. */
058656
@@ -602,21 +602,21 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
058656
                               cacert, rc, ldap_err2string(rc));
058656
             }
058656
         }
058656
-        if (slapi_client_uses_openssl(ld)) {
058656
-            int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
058656
-            tls_check_crl_t tls_check_state = config_get_tls_check_crl();
058656
-            if (tls_check_state == TLS_CHECK_PEER) {
058656
-                crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
058656
-            } else if (tls_check_state == TLS_CHECK_ALL) {
058656
-                crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
058656
-            }
058656
-            /* Sets the CRL evaluation strategy. */
058656
-            rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
058656
-            if (rc) {
058656
-                slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
058656
-                              "Could not set CRLCHECK [%d]: %d:%s\n",
058656
-                              crlcheck, rc, ldap_err2string(rc));
058656
-            }
058656
+    }
058656
+    if (slapi_client_uses_openssl(ld)) {
058656
+        int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
058656
+        tls_check_crl_t tls_check_state = config_get_tls_check_crl();
058656
+        if (tls_check_state == TLS_CHECK_PEER) {
058656
+            crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
058656
+        } else if (tls_check_state == TLS_CHECK_ALL) {
058656
+            crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
058656
+        }
058656
+        /* Sets the CRL evaluation strategy. */
058656
+        rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
058656
+        if (rc) {
058656
+            slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
058656
+                    "Could not set CRLCHECK [%d]: %d:%s\n",
058656
+                    crlcheck, rc, ldap_err2string(rc));
058656
         }
058656
     }
058656
     /* tell it where our cert db/file is */
058656
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
058656
index eb6552af1..3bd5c1826 100644
058656
--- a/ldap/servers/slapd/libglobs.c
058656
+++ b/ldap/servers/slapd/libglobs.c
058656
@@ -1688,7 +1688,7 @@ FrontendConfig_init(void)
058656
     init_malloc_mmap_threshold = cfg->malloc_mmap_threshold = DEFAULT_MALLOC_UNSET;
058656
 #endif
058656
 
058656
-    init_extract_pem = cfg->extract_pem = LDAP_OFF;
058656
+    init_extract_pem = cfg->extract_pem = LDAP_ON;
058656
 
058656
     /* Done, unlock!  */
058656
     CFG_UNLOCK_WRITE(cfg);
058656
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
058656
index 52ac7ea9f..36b09fd16 100644
058656
--- a/ldap/servers/slapd/ssl.c
058656
+++ b/ldap/servers/slapd/ssl.c
058656
@@ -2462,7 +2462,7 @@ slapd_SSL_client_auth(LDAP *ld)
058656
                            errorCode, slapd_pr_strerror(errorCode));
058656
         } else {
058656
 #if defined(USE_OPENLDAP)
058656
-            if (slapi_client_uses_non_nss(ld)) {
058656
+            if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {
058656
                 char *certdir = config_get_certdir();
058656
                 char *keyfile = NULL;
058656
                 char *certfile = NULL;
058656
-- 
058656
2.13.6
058656