Blame SOURCES/0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch

96373c
From 10ec64288dcc25fd855bc05601bc4794ecea2003 Mon Sep 17 00:00:00 2001
96373c
From: Thierry Bordaz <tbordaz@redhat.com>
96373c
Date: Tue, 6 Feb 2018 19:49:22 +0100
96373c
Subject: [PATCH] Ticket 49560 - nsslapd-extract-pemfiles should be enabled by
96373c
 default as openldap is moving to openssl
96373c
96373c
Bug Description:
96373c
	Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL),
96373c
	the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE,
96373c
	need to specify path to PEM files.
96373c
96373c
	Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx
96373c
96373c
	Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'.
96373c
96373c
	The default value is 'off', that prevent secure outgoing connection.
96373c
96373c
Fix Description:
96373c
96373c
	Enable nsslapd-extract-pemfiles by default
96373c
	Then when establishing an outgoing connection, if it is not using NSS crypto layer
96373c
	and the pem files have been extracted then use the PEM files
96373c
96373c
https://pagure.io/389-ds-base/issue/49560
96373c
96373c
Reviewed by: mreynolds & mhonek
96373c
96373c
Platforms tested: RHEL 7.5
96373c
96373c
Flag Day: no
96373c
96373c
Doc impact: no
96373c
96373c
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
96373c
(cherry picked from commit 8304caec593b591558c9c18de9bcb6b2f23db5b6)
96373c
---
96373c
 ldap/servers/slapd/ldaputil.c | 32 ++++++++++++++++----------------
96373c
 ldap/servers/slapd/libglobs.c |  2 +-
96373c
 ldap/servers/slapd/ssl.c      |  2 +-
96373c
 3 files changed, 18 insertions(+), 18 deletions(-)
96373c
96373c
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
96373c
index 2fc2f0615..fcf22e632 100644
96373c
--- a/ldap/servers/slapd/ldaputil.c
96373c
+++ b/ldap/servers/slapd/ldaputil.c
96373c
@@ -591,7 +591,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
96373c
         slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
96373c
                       "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
96373c
     }
96373c
-    if (slapi_client_uses_non_nss(ld)) {
96373c
+    if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {
96373c
         cacert = slapi_get_cacertfile();
96373c
         if (cacert) {
96373c
             /* CA Cert PEM file exists.  Set the path to openldap option. */
96373c
@@ -602,21 +602,21 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
96373c
                               cacert, rc, ldap_err2string(rc));
96373c
             }
96373c
         }
96373c
-        if (slapi_client_uses_openssl(ld)) {
96373c
-            int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
96373c
-            tls_check_crl_t tls_check_state = config_get_tls_check_crl();
96373c
-            if (tls_check_state == TLS_CHECK_PEER) {
96373c
-                crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
96373c
-            } else if (tls_check_state == TLS_CHECK_ALL) {
96373c
-                crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
96373c
-            }
96373c
-            /* Sets the CRL evaluation strategy. */
96373c
-            rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
96373c
-            if (rc) {
96373c
-                slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
96373c
-                              "Could not set CRLCHECK [%d]: %d:%s\n",
96373c
-                              crlcheck, rc, ldap_err2string(rc));
96373c
-            }
96373c
+    }
96373c
+    if (slapi_client_uses_openssl(ld)) {
96373c
+        int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
96373c
+        tls_check_crl_t tls_check_state = config_get_tls_check_crl();
96373c
+        if (tls_check_state == TLS_CHECK_PEER) {
96373c
+            crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
96373c
+        } else if (tls_check_state == TLS_CHECK_ALL) {
96373c
+            crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
96373c
+        }
96373c
+        /* Sets the CRL evaluation strategy. */
96373c
+        rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
96373c
+        if (rc) {
96373c
+            slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
96373c
+                    "Could not set CRLCHECK [%d]: %d:%s\n",
96373c
+                    crlcheck, rc, ldap_err2string(rc));
96373c
         }
96373c
     }
96373c
     /* tell it where our cert db/file is */
96373c
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
96373c
index eb6552af1..3bd5c1826 100644
96373c
--- a/ldap/servers/slapd/libglobs.c
96373c
+++ b/ldap/servers/slapd/libglobs.c
96373c
@@ -1688,7 +1688,7 @@ FrontendConfig_init(void)
96373c
     init_malloc_mmap_threshold = cfg->malloc_mmap_threshold = DEFAULT_MALLOC_UNSET;
96373c
 #endif
96373c
 
96373c
-    init_extract_pem = cfg->extract_pem = LDAP_OFF;
96373c
+    init_extract_pem = cfg->extract_pem = LDAP_ON;
96373c
 
96373c
     /* Done, unlock!  */
96373c
     CFG_UNLOCK_WRITE(cfg);
96373c
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
96373c
index 52ac7ea9f..36b09fd16 100644
96373c
--- a/ldap/servers/slapd/ssl.c
96373c
+++ b/ldap/servers/slapd/ssl.c
96373c
@@ -2462,7 +2462,7 @@ slapd_SSL_client_auth(LDAP *ld)
96373c
                            errorCode, slapd_pr_strerror(errorCode));
96373c
         } else {
96373c
 #if defined(USE_OPENLDAP)
96373c
-            if (slapi_client_uses_non_nss(ld)) {
96373c
+            if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {
96373c
                 char *certdir = config_get_certdir();
96373c
                 char *keyfile = NULL;
96373c
                 char *certfile = NULL;
96373c
-- 
96373c
2.13.6
96373c