Blame SOURCES/0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch

b045b9
From 10ec64288dcc25fd855bc05601bc4794ecea2003 Mon Sep 17 00:00:00 2001
b045b9
From: Thierry Bordaz <tbordaz@redhat.com>
b045b9
Date: Tue, 6 Feb 2018 19:49:22 +0100
b045b9
Subject: [PATCH] Ticket 49560 - nsslapd-extract-pemfiles should be enabled by
b045b9
 default as openldap is moving to openssl
b045b9
b045b9
Bug Description:
b045b9
	Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL),
b045b9
	the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE,
b045b9
	need to specify path to PEM files.
b045b9
b045b9
	Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx
b045b9
b045b9
	Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'.
b045b9
b045b9
	The default value is 'off', that prevent secure outgoing connection.
b045b9
b045b9
Fix Description:
b045b9
b045b9
	Enable nsslapd-extract-pemfiles by default
b045b9
	Then when establishing an outgoing connection, if it is not using NSS crypto layer
b045b9
	and the pem files have been extracted then use the PEM files
b045b9
b045b9
https://pagure.io/389-ds-base/issue/49560
b045b9
b045b9
Reviewed by: mreynolds & mhonek
b045b9
b045b9
Platforms tested: RHEL 7.5
b045b9
b045b9
Flag Day: no
b045b9
b045b9
Doc impact: no
b045b9
b045b9
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
b045b9
(cherry picked from commit 8304caec593b591558c9c18de9bcb6b2f23db5b6)
b045b9
---
b045b9
 ldap/servers/slapd/ldaputil.c | 32 ++++++++++++++++----------------
b045b9
 ldap/servers/slapd/libglobs.c |  2 +-
b045b9
 ldap/servers/slapd/ssl.c      |  2 +-
b045b9
 3 files changed, 18 insertions(+), 18 deletions(-)
b045b9
b045b9
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
b045b9
index 2fc2f0615..fcf22e632 100644
b045b9
--- a/ldap/servers/slapd/ldaputil.c
b045b9
+++ b/ldap/servers/slapd/ldaputil.c
b045b9
@@ -591,7 +591,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
b045b9
         slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
b045b9
                       "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
b045b9
     }
b045b9
-    if (slapi_client_uses_non_nss(ld)) {
b045b9
+    if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {
b045b9
         cacert = slapi_get_cacertfile();
b045b9
         if (cacert) {
b045b9
             /* CA Cert PEM file exists.  Set the path to openldap option. */
b045b9
@@ -602,21 +602,21 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
b045b9
                               cacert, rc, ldap_err2string(rc));
b045b9
             }
b045b9
         }
b045b9
-        if (slapi_client_uses_openssl(ld)) {
b045b9
-            int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
b045b9
-            tls_check_crl_t tls_check_state = config_get_tls_check_crl();
b045b9
-            if (tls_check_state == TLS_CHECK_PEER) {
b045b9
-                crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
b045b9
-            } else if (tls_check_state == TLS_CHECK_ALL) {
b045b9
-                crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
b045b9
-            }
b045b9
-            /* Sets the CRL evaluation strategy. */
b045b9
-            rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
b045b9
-            if (rc) {
b045b9
-                slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
b045b9
-                              "Could not set CRLCHECK [%d]: %d:%s\n",
b045b9
-                              crlcheck, rc, ldap_err2string(rc));
b045b9
-            }
b045b9
+    }
b045b9
+    if (slapi_client_uses_openssl(ld)) {
b045b9
+        int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
b045b9
+        tls_check_crl_t tls_check_state = config_get_tls_check_crl();
b045b9
+        if (tls_check_state == TLS_CHECK_PEER) {
b045b9
+            crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
b045b9
+        } else if (tls_check_state == TLS_CHECK_ALL) {
b045b9
+            crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
b045b9
+        }
b045b9
+        /* Sets the CRL evaluation strategy. */
b045b9
+        rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
b045b9
+        if (rc) {
b045b9
+            slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
b045b9
+                    "Could not set CRLCHECK [%d]: %d:%s\n",
b045b9
+                    crlcheck, rc, ldap_err2string(rc));
b045b9
         }
b045b9
     }
b045b9
     /* tell it where our cert db/file is */
b045b9
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
b045b9
index eb6552af1..3bd5c1826 100644
b045b9
--- a/ldap/servers/slapd/libglobs.c
b045b9
+++ b/ldap/servers/slapd/libglobs.c
b045b9
@@ -1688,7 +1688,7 @@ FrontendConfig_init(void)
b045b9
     init_malloc_mmap_threshold = cfg->malloc_mmap_threshold = DEFAULT_MALLOC_UNSET;
b045b9
 #endif
b045b9
 
b045b9
-    init_extract_pem = cfg->extract_pem = LDAP_OFF;
b045b9
+    init_extract_pem = cfg->extract_pem = LDAP_ON;
b045b9
 
b045b9
     /* Done, unlock!  */
b045b9
     CFG_UNLOCK_WRITE(cfg);
b045b9
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
b045b9
index 52ac7ea9f..36b09fd16 100644
b045b9
--- a/ldap/servers/slapd/ssl.c
b045b9
+++ b/ldap/servers/slapd/ssl.c
b045b9
@@ -2462,7 +2462,7 @@ slapd_SSL_client_auth(LDAP *ld)
b045b9
                            errorCode, slapd_pr_strerror(errorCode));
b045b9
         } else {
b045b9
 #if defined(USE_OPENLDAP)
b045b9
-            if (slapi_client_uses_non_nss(ld)) {
b045b9
+            if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {
b045b9
                 char *certdir = config_get_certdir();
b045b9
                 char *keyfile = NULL;
b045b9
                 char *certfile = NULL;
b045b9
-- 
b045b9
2.13.6
b045b9