From 10ec64288dcc25fd855bc05601bc4794ecea2003 Mon Sep 17 00:00:00 2001

From: Thierry Bordaz <tbordaz@redhat.com>

Date: Tue, 6 Feb 2018 19:49:22 +0100

Subject: [PATCH] Ticket 49560 - nsslapd-extract-pemfiles should be enabled by

 default as openldap is moving to openssl

Bug Description:

	Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL),

	the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE,

	need to specify path to PEM files.

	Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx

	Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'.

	The default value is 'off', that prevent secure outgoing connection.

Fix Description:

	Enable nsslapd-extract-pemfiles by default

	Then when establishing an outgoing connection, if it is not using NSS crypto layer

	and the pem files have been extracted then use the PEM files

https://pagure.io/389-ds-base/issue/49560

Reviewed by: mreynolds & mhonek

Platforms tested: RHEL 7.5

Flag Day: no

Doc impact: no

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>

(cherry picked from commit 8304caec593b591558c9c18de9bcb6b2f23db5b6)

---

 ldap/servers/slapd/ldaputil.c | 32 ++++++++++++++++----------------

 ldap/servers/slapd/libglobs.c |  2 +-

 ldap/servers/slapd/ssl.c      |  2 +-

 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c

index 2fc2f0615..fcf22e632 100644

--- a/ldap/servers/slapd/ldaputil.c

+++ b/ldap/servers/slapd/ldaputil.c

@@ -591,7 +591,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)

         slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",

                       "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);

     }

-    if (slapi_client_uses_non_nss(ld)) {

+    if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {

         cacert = slapi_get_cacertfile();

         if (cacert) {

             /* CA Cert PEM file exists.  Set the path to openldap option. */

@@ -602,21 +602,21 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)

                               cacert, rc, ldap_err2string(rc));

             }

         }

-        if (slapi_client_uses_openssl(ld)) {

-            int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;

-            tls_check_crl_t tls_check_state = config_get_tls_check_crl();

-            if (tls_check_state == TLS_CHECK_PEER) {

-                crlcheck = LDAP_OPT_X_TLS_CRL_PEER;

-            } else if (tls_check_state == TLS_CHECK_ALL) {

-                crlcheck = LDAP_OPT_X_TLS_CRL_ALL;

-            }

-            /* Sets the CRL evaluation strategy. */

-            rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);

-            if (rc) {

-                slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",

-                              "Could not set CRLCHECK [%d]: %d:%s\n",

-                              crlcheck, rc, ldap_err2string(rc));

-            }

+    }

+    if (slapi_client_uses_openssl(ld)) {

+        int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;

+        tls_check_crl_t tls_check_state = config_get_tls_check_crl();

+        if (tls_check_state == TLS_CHECK_PEER) {

+            crlcheck = LDAP_OPT_X_TLS_CRL_PEER;

+        } else if (tls_check_state == TLS_CHECK_ALL) {

+            crlcheck = LDAP_OPT_X_TLS_CRL_ALL;

+        }

+        /* Sets the CRL evaluation strategy. */

+        rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);

+        if (rc) {

+            slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",

+                    "Could not set CRLCHECK [%d]: %d:%s\n",

+                    crlcheck, rc, ldap_err2string(rc));

         }

     }

     /* tell it where our cert db/file is */

diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c

index eb6552af1..3bd5c1826 100644

--- a/ldap/servers/slapd/libglobs.c

+++ b/ldap/servers/slapd/libglobs.c

@@ -1688,7 +1688,7 @@ FrontendConfig_init(void)

     init_malloc_mmap_threshold = cfg->malloc_mmap_threshold = DEFAULT_MALLOC_UNSET;

 #endif

-    init_extract_pem = cfg->extract_pem = LDAP_OFF;

+    init_extract_pem = cfg->extract_pem = LDAP_ON;

     /* Done, unlock!  */

     CFG_UNLOCK_WRITE(cfg);

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c

index 52ac7ea9f..36b09fd16 100644

--- a/ldap/servers/slapd/ssl.c

+++ b/ldap/servers/slapd/ssl.c

@@ -2462,7 +2462,7 @@ slapd_SSL_client_auth(LDAP *ld)

                            errorCode, slapd_pr_strerror(errorCode));

         } else {

 #if defined(USE_OPENLDAP)

-            if (slapi_client_uses_non_nss(ld)) {

+            if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {

                 char *certdir = config_get_certdir();

                 char *keyfile = NULL;

                 char *certfile = NULL;

-- 

2.13.6