Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1541108
Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL), the way that CRL checking is handled behaves differently. In short, it appears that if CRL checking is enabled (which 389-ds-base hardcodes), TLS will not be established if a CRL is not available. With NSS, this was more tolerant and TLS would be established. This is manifesting as a regression in IPA for replication connections as detailed here: https://bugzilla.redhat.com/show_bug.cgi?id=1486225#c23 I believe that we should allow the LDAP_OPT_X_TLS_CRLCHECK option that we pass into the OpenLDAP libraries to be configurable for outgoing LDAP connections, as the new behavior is not very tolerant and has the potential to break some deployments.
Metadata Update from @mreynolds: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1541108
<img alt="0001-Ticket-49557-Add-config-option-for-checking-CRL-on-o.patch" src="/389-ds-base/issue/raw/files/ba054169314bb68d0f63783c7c431835dfd60b36325f1bb34577e21ec6ee69cf-0001-Ticket-49557-Add-config-option-for-checking-CRL-on-o.patch" />
Metadata Update from @mreynolds: - Custom field component adjusted to None - Custom field origin adjusted to None - Custom field reviewstatus adjusted to review - Custom field type adjusted to None - Custom field version adjusted to None
there is also LDAP_OPT_X_TLS_CRL_PEER if we want to make it configurable, shouldn't we then support all options ?
Yes, I think that we should also support the "peer" setting.
It should be named "tls-check-crl" not "ssl-check-crl".
I'm going to rework this patch with @ftweedal at the moment.
<img alt="0001-Ticket-49557-Add-config-option-for-checking-CRL-on-o.patch" src="/389-ds-base/issue/raw/files/7ae09fabed46558ae8ac44e1dc2beac8de234556500a399f04b0af72a0d6cbbc-0001-Ticket-49557-Add-config-option-for-checking-CRL-on-o.patch" />
the patch looks good, but I have two questions regarding a difference between your and Mark's patch:
+ CONFIG_SPECIAL_TLS_CHECK_CRL, (ConfigGetFunc)config_get_tls_check_crl, + "none" /* Allow reset to this value */}
vs
+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_ssl_check_crl, + NULL /* deletion is not allowed */} };
and
init_ssl_check_crl = cfg->ssl_check_crl = LDAP_OFF;
cfg->tls_check_crl = TLS_CHECK_NONE;
the init_ setting is missing
It's what it says in the comment: when you do a modify on the cn=config and delete the nsslapd-tls-check-crl attribute it resets to "none". This is tested in the test case.
The init_ssl_check_crl value is only needed in the slapi_on_off type use case, and if you look at the original patch, the value was never used, so it serves no purpose, thus it's removal.
The patch looks good to me. It was also tested using https://bugzilla.redhat.com/show_bug.cgi?id=1541108#c5. ACK
Metadata Update from @tbordaz: - Custom field reviewstatus adjusted to ack (was: review)
To ssh://pagure.io/389-ds-base.git 66ecdf9..ca8f1fd master -> master To ssh://pagure.io/389-ds-base.git 35f5ccd..806de71 389-ds-base-1.3.7 -> 389-ds-base-1.3.7
Metadata Update from @tbordaz: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2616
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.