Since 1.3.5, because of openldap, certs and private key are extracted, in pem format, from NSS database and stored under 'nsslapd-certdir' directory.
Private key is a sensitive data. This ticket is to extract them into a private namespace.
Since 1.3.5
It exists Server-Cert.pem, Server-Cert-Key and others under /etc/dirsrv/slapd-<servid>
Should rather be located into a private namespace
Metadata Update from @mreynolds: - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1638875 - Issue assigned to tbordaz - Issue set to the milestone: 1.4.3
PR https://pagure.io/389-ds-base/pull-request/50890
ea4fa54..60ae321 master (1.4.3)
Metadata Update from @tbordaz: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
There is a bug here that will probably cause a crash:
./389-ds-base/ldap/servers/slapd/ldaputil.c: In function ‘setup_ol_tls_conn’: ../389-ds-base/ldap/servers/slapd/ldaputil.c:523:20: warning: implicit declaration of function ‘check_private_certdir’ [-Wimplicit-function-declaration] 523 | if ((certdir = check_private_certdir()) == NULL) { | ^ ../389-ds-base/ldap/servers/slapd/ldaputil.c:523:18: warning: assignment to ‘char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion] 523 | if ((certdir = check_private_certdir()) == NULL) { | ^
check_private_certdir() is not defined in any header file, it only exists in ssl.c. If ldaputil calls this function the server will crash.
Metadata Update from @mreynolds: - Issue status updated to: Open (was: Closed)
There are other compiler warnings as well:
./389-ds-base/ldap/servers/slapd/ssl.c: In function ‘check_private_certdir’: ../389-ds-base/ldap/servers/slapd/ssl.c:952:36: warning: format ‘%s’ expects argument of type ‘char *’, but argument 7 has type ‘char (*)[256]’ [-Wformat=] 952 | sscanf(sline,"%d %d %d:%d %s %s %s\n", | ~^ | | | char * 953 | &mountid, &parentid, &major, &minor, &root, &mountpoint, &rest); | ~~~~~ | | | char (*)[256] ../389-ds-base/ldap/servers/slapd/ssl.c:952:39: warning: format ‘%s’ expects argument of type ‘char *’, but argument 8 has type ‘char (*)[256]’ [-Wformat=] 952 | sscanf(sline,"%d %d %d:%d %s %s %s\n", | ~^ | | | char * 953 | &mountid, &parentid, &major, &minor, &root, &mountpoint, &rest); | ~~~~~~~~~~~ | | | char (*)[256] ../389-ds-base/ldap/servers/slapd/ssl.c:952:42: warning: format ‘%s’ expects argument of type ‘char *’, but argument 9 has type ‘char (*)[256]’ [-Wformat=] 952 | sscanf(sline,"%d %d %d:%d %s %s %s\n", | ~^ | | | char * 953 | &mountid, &parentid, &major, &minor, &root, &mountpoint, &rest); | ~~~~~ | | | char (*)[256]
Fix compiler warnings
07a1080..a4340aa master
Commit 31e132a relates to this ticket
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/3942
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.