|
|
b045b9 |
From 10ec64288dcc25fd855bc05601bc4794ecea2003 Mon Sep 17 00:00:00 2001
|
|
|
b045b9 |
From: Thierry Bordaz <tbordaz@redhat.com>
|
|
|
b045b9 |
Date: Tue, 6 Feb 2018 19:49:22 +0100
|
|
|
b045b9 |
Subject: [PATCH] Ticket 49560 - nsslapd-extract-pemfiles should be enabled by
|
|
|
b045b9 |
default as openldap is moving to openssl
|
|
|
b045b9 |
|
|
|
b045b9 |
Bug Description:
|
|
|
b045b9 |
Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL),
|
|
|
b045b9 |
the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE,
|
|
|
b045b9 |
need to specify path to PEM files.
|
|
|
b045b9 |
|
|
|
b045b9 |
Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx
|
|
|
b045b9 |
|
|
|
b045b9 |
Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'.
|
|
|
b045b9 |
|
|
|
b045b9 |
The default value is 'off', that prevent secure outgoing connection.
|
|
|
b045b9 |
|
|
|
b045b9 |
Fix Description:
|
|
|
b045b9 |
|
|
|
b045b9 |
Enable nsslapd-extract-pemfiles by default
|
|
|
b045b9 |
Then when establishing an outgoing connection, if it is not using NSS crypto layer
|
|
|
b045b9 |
and the pem files have been extracted then use the PEM files
|
|
|
b045b9 |
|
|
|
b045b9 |
https://pagure.io/389-ds-base/issue/49560
|
|
|
b045b9 |
|
|
|
b045b9 |
Reviewed by: mreynolds & mhonek
|
|
|
b045b9 |
|
|
|
b045b9 |
Platforms tested: RHEL 7.5
|
|
|
b045b9 |
|
|
|
b045b9 |
Flag Day: no
|
|
|
b045b9 |
|
|
|
b045b9 |
Doc impact: no
|
|
|
b045b9 |
|
|
|
b045b9 |
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
|
|
b045b9 |
(cherry picked from commit 8304caec593b591558c9c18de9bcb6b2f23db5b6)
|
|
|
b045b9 |
---
|
|
|
b045b9 |
ldap/servers/slapd/ldaputil.c | 32 ++++++++++++++++----------------
|
|
|
b045b9 |
ldap/servers/slapd/libglobs.c | 2 +-
|
|
|
b045b9 |
ldap/servers/slapd/ssl.c | 2 +-
|
|
|
b045b9 |
3 files changed, 18 insertions(+), 18 deletions(-)
|
|
|
b045b9 |
|
|
|
b045b9 |
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
|
|
|
b045b9 |
index 2fc2f0615..fcf22e632 100644
|
|
|
b045b9 |
--- a/ldap/servers/slapd/ldaputil.c
|
|
|
b045b9 |
+++ b/ldap/servers/slapd/ldaputil.c
|
|
|
b045b9 |
@@ -591,7 +591,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
|
|
|
b045b9 |
slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
|
|
|
b045b9 |
"failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
|
|
|
b045b9 |
}
|
|
|
b045b9 |
- if (slapi_client_uses_non_nss(ld)) {
|
|
|
b045b9 |
+ if (slapi_client_uses_non_nss(ld) && config_get_extract_pem()) {
|
|
|
b045b9 |
cacert = slapi_get_cacertfile();
|
|
|
b045b9 |
if (cacert) {
|
|
|
b045b9 |
/* CA Cert PEM file exists. Set the path to openldap option. */
|
|
|
b045b9 |
@@ -602,21 +602,21 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
|
|
|
b045b9 |
cacert, rc, ldap_err2string(rc));
|
|
|
b045b9 |
}
|
|
|
b045b9 |
}
|
|
|
b045b9 |
- if (slapi_client_uses_openssl(ld)) {
|
|
|
b045b9 |
- int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
|
|
|
b045b9 |
- tls_check_crl_t tls_check_state = config_get_tls_check_crl();
|
|
|
b045b9 |
- if (tls_check_state == TLS_CHECK_PEER) {
|
|
|
b045b9 |
- crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
|
|
|
b045b9 |
- } else if (tls_check_state == TLS_CHECK_ALL) {
|
|
|
b045b9 |
- crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
|
|
|
b045b9 |
- }
|
|
|
b045b9 |
- /* Sets the CRL evaluation strategy. */
|
|
|
b045b9 |
- rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
|
|
|
b045b9 |
- if (rc) {
|
|
|
b045b9 |
- slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
|
|
|
b045b9 |
- "Could not set CRLCHECK [%d]: %d:%s\n",
|
|
|
b045b9 |
- crlcheck, rc, ldap_err2string(rc));
|
|
|
b045b9 |
- }
|
|
|
b045b9 |
+ }
|
|
|
b045b9 |
+ if (slapi_client_uses_openssl(ld)) {
|
|
|
b045b9 |
+ int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
|
|
|
b045b9 |
+ tls_check_crl_t tls_check_state = config_get_tls_check_crl();
|
|
|
b045b9 |
+ if (tls_check_state == TLS_CHECK_PEER) {
|
|
|
b045b9 |
+ crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
|
|
|
b045b9 |
+ } else if (tls_check_state == TLS_CHECK_ALL) {
|
|
|
b045b9 |
+ crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
|
|
|
b045b9 |
+ }
|
|
|
b045b9 |
+ /* Sets the CRL evaluation strategy. */
|
|
|
b045b9 |
+ rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
|
|
|
b045b9 |
+ if (rc) {
|
|
|
b045b9 |
+ slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
|
|
|
b045b9 |
+ "Could not set CRLCHECK [%d]: %d:%s\n",
|
|
|
b045b9 |
+ crlcheck, rc, ldap_err2string(rc));
|
|
|
b045b9 |
}
|
|
|
b045b9 |
}
|
|
|
b045b9 |
/* tell it where our cert db/file is */
|
|
|
b045b9 |
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
|
|
|
b045b9 |
index eb6552af1..3bd5c1826 100644
|
|
|
b045b9 |
--- a/ldap/servers/slapd/libglobs.c
|
|
|
b045b9 |
+++ b/ldap/servers/slapd/libglobs.c
|
|
|
b045b9 |
@@ -1688,7 +1688,7 @@ FrontendConfig_init(void)
|
|
|
b045b9 |
init_malloc_mmap_threshold = cfg->malloc_mmap_threshold = DEFAULT_MALLOC_UNSET;
|
|
|
b045b9 |
#endif
|
|
|
b045b9 |
|
|
|
b045b9 |
- init_extract_pem = cfg->extract_pem = LDAP_OFF;
|
|
|
b045b9 |
+ init_extract_pem = cfg->extract_pem = LDAP_ON;
|
|
|
b045b9 |
|
|
|
b045b9 |
/* Done, unlock! */
|
|
|
b045b9 |
CFG_UNLOCK_WRITE(cfg);
|
|
|
b045b9 |
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
|
|
|
b045b9 |
index 52ac7ea9f..36b09fd16 100644
|
|
|
b045b9 |
--- a/ldap/servers/slapd/ssl.c
|
|
|
b045b9 |
+++ b/ldap/servers/slapd/ssl.c
|
|
|
b045b9 |
@@ -2462,7 +2462,7 @@ slapd_SSL_client_auth(LDAP *ld)
|
|
|
b045b9 |
errorCode, slapd_pr_strerror(errorCode));
|
|
|
b045b9 |
} else {
|
|
|
b045b9 |
#if defined(USE_OPENLDAP)
|
|
|
b045b9 |
- if (slapi_client_uses_non_nss(ld)) {
|
|
|
b045b9 |
+ if (slapi_client_uses_non_nss(ld) && config_get_extract_pem()) {
|
|
|
b045b9 |
char *certdir = config_get_certdir();
|
|
|
b045b9 |
char *keyfile = NULL;
|
|
|
b045b9 |
char *certfile = NULL;
|
|
|
b045b9 |
--
|
|
|
b045b9 |
2.13.6
|
|
|
b045b9 |
|