Blame SOURCES/0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch

081b2d
From 10ec64288dcc25fd855bc05601bc4794ecea2003 Mon Sep 17 00:00:00 2001
081b2d
From: Thierry Bordaz <tbordaz@redhat.com>
081b2d
Date: Tue, 6 Feb 2018 19:49:22 +0100
081b2d
Subject: [PATCH] Ticket 49560 - nsslapd-extract-pemfiles should be enabled by
081b2d
 default as openldap is moving to openssl
081b2d
081b2d
Bug Description:
081b2d
	Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL),
081b2d
	the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE,
081b2d
	need to specify path to PEM files.
081b2d
081b2d
	Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx
081b2d
081b2d
	Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'.
081b2d
081b2d
	The default value is 'off', that prevent secure outgoing connection.
081b2d
081b2d
Fix Description:
081b2d
081b2d
	Enable nsslapd-extract-pemfiles by default
081b2d
	Then when establishing an outgoing connection, if it is not using NSS crypto layer
081b2d
	and the pem files have been extracted then use the PEM files
081b2d
081b2d
https://pagure.io/389-ds-base/issue/49560
081b2d
081b2d
Reviewed by: mreynolds & mhonek
081b2d
081b2d
Platforms tested: RHEL 7.5
081b2d
081b2d
Flag Day: no
081b2d
081b2d
Doc impact: no
081b2d
081b2d
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
081b2d
(cherry picked from commit 8304caec593b591558c9c18de9bcb6b2f23db5b6)
081b2d
---
081b2d
 ldap/servers/slapd/ldaputil.c | 32 ++++++++++++++++----------------
081b2d
 ldap/servers/slapd/libglobs.c |  2 +-
081b2d
 ldap/servers/slapd/ssl.c      |  2 +-
081b2d
 3 files changed, 18 insertions(+), 18 deletions(-)
081b2d
081b2d
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
081b2d
index 2fc2f0615..fcf22e632 100644
081b2d
--- a/ldap/servers/slapd/ldaputil.c
081b2d
+++ b/ldap/servers/slapd/ldaputil.c
081b2d
@@ -591,7 +591,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
081b2d
         slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
081b2d
                       "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
081b2d
     }
081b2d
-    if (slapi_client_uses_non_nss(ld)) {
081b2d
+    if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {
081b2d
         cacert = slapi_get_cacertfile();
081b2d
         if (cacert) {
081b2d
             /* CA Cert PEM file exists.  Set the path to openldap option. */
081b2d
@@ -602,21 +602,21 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
081b2d
                               cacert, rc, ldap_err2string(rc));
081b2d
             }
081b2d
         }
081b2d
-        if (slapi_client_uses_openssl(ld)) {
081b2d
-            int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
081b2d
-            tls_check_crl_t tls_check_state = config_get_tls_check_crl();
081b2d
-            if (tls_check_state == TLS_CHECK_PEER) {
081b2d
-                crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
081b2d
-            } else if (tls_check_state == TLS_CHECK_ALL) {
081b2d
-                crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
081b2d
-            }
081b2d
-            /* Sets the CRL evaluation strategy. */
081b2d
-            rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
081b2d
-            if (rc) {
081b2d
-                slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
081b2d
-                              "Could not set CRLCHECK [%d]: %d:%s\n",
081b2d
-                              crlcheck, rc, ldap_err2string(rc));
081b2d
-            }
081b2d
+    }
081b2d
+    if (slapi_client_uses_openssl(ld)) {
081b2d
+        int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
081b2d
+        tls_check_crl_t tls_check_state = config_get_tls_check_crl();
081b2d
+        if (tls_check_state == TLS_CHECK_PEER) {
081b2d
+            crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
081b2d
+        } else if (tls_check_state == TLS_CHECK_ALL) {
081b2d
+            crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
081b2d
+        }
081b2d
+        /* Sets the CRL evaluation strategy. */
081b2d
+        rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
081b2d
+        if (rc) {
081b2d
+            slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
081b2d
+                    "Could not set CRLCHECK [%d]: %d:%s\n",
081b2d
+                    crlcheck, rc, ldap_err2string(rc));
081b2d
         }
081b2d
     }
081b2d
     /* tell it where our cert db/file is */
081b2d
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
081b2d
index eb6552af1..3bd5c1826 100644
081b2d
--- a/ldap/servers/slapd/libglobs.c
081b2d
+++ b/ldap/servers/slapd/libglobs.c
081b2d
@@ -1688,7 +1688,7 @@ FrontendConfig_init(void)
081b2d
     init_malloc_mmap_threshold = cfg->malloc_mmap_threshold = DEFAULT_MALLOC_UNSET;
081b2d
 #endif
081b2d
 
081b2d
-    init_extract_pem = cfg->extract_pem = LDAP_OFF;
081b2d
+    init_extract_pem = cfg->extract_pem = LDAP_ON;
081b2d
 
081b2d
     /* Done, unlock!  */
081b2d
     CFG_UNLOCK_WRITE(cfg);
081b2d
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
081b2d
index 52ac7ea9f..36b09fd16 100644
081b2d
--- a/ldap/servers/slapd/ssl.c
081b2d
+++ b/ldap/servers/slapd/ssl.c
081b2d
@@ -2462,7 +2462,7 @@ slapd_SSL_client_auth(LDAP *ld)
081b2d
                            errorCode, slapd_pr_strerror(errorCode));
081b2d
         } else {
081b2d
 #if defined(USE_OPENLDAP)
081b2d
-            if (slapi_client_uses_non_nss(ld)) {
081b2d
+            if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {
081b2d
                 char *certdir = config_get_certdir();
081b2d
                 char *keyfile = NULL;
081b2d
                 char *certfile = NULL;
081b2d
-- 
081b2d
2.13.6
081b2d