From 8304caec593b591558c9c18de9bcb6b2f23db5b6 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Feb 06 2018 23:36:09 +0000 Subject: Ticket 49560 - nsslapd-extract-pemfiles should be enabled by default as openldap is moving to openssl Bug Description: Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL), the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE, need to specify path to PEM files. Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'. The default value is 'off', that prevent secure outgoing connection. Fix Description: Enable nsslapd-extract-pemfiles by default Then when establishing an outgoing connection, if it is not using NSS crypto layer and the pem files have been extracted then use the PEM files https://pagure.io/389-ds-base/issue/49560 Reviewed by: mreynolds Platforms tested: RHEL 7.5 Flag Day: no Doc impact: no Signed-off-by: Mark Reynolds --- diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c index 2fc2f06..fcf22e6 100644 --- a/ldap/servers/slapd/ldaputil.c +++ b/ldap/servers/slapd/ldaputil.c @@ -591,7 +591,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth) slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn", "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength); } - if (slapi_client_uses_non_nss(ld)) { + if (slapi_client_uses_non_nss(ld) && config_get_extract_pem()) { cacert = slapi_get_cacertfile(); if (cacert) { /* CA Cert PEM file exists. Set the path to openldap option. */ @@ -602,21 +602,21 @@ setup_ol_tls_conn(LDAP *ld, int clientauth) cacert, rc, ldap_err2string(rc)); } } - if (slapi_client_uses_openssl(ld)) { - int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE; - tls_check_crl_t tls_check_state = config_get_tls_check_crl(); - if (tls_check_state == TLS_CHECK_PEER) { - crlcheck = LDAP_OPT_X_TLS_CRL_PEER; - } else if (tls_check_state == TLS_CHECK_ALL) { - crlcheck = LDAP_OPT_X_TLS_CRL_ALL; - } - /* Sets the CRL evaluation strategy. */ - rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck); - if (rc) { - slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn", - "Could not set CRLCHECK [%d]: %d:%s\n", - crlcheck, rc, ldap_err2string(rc)); - } + } + if (slapi_client_uses_openssl(ld)) { + int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE; + tls_check_crl_t tls_check_state = config_get_tls_check_crl(); + if (tls_check_state == TLS_CHECK_PEER) { + crlcheck = LDAP_OPT_X_TLS_CRL_PEER; + } else if (tls_check_state == TLS_CHECK_ALL) { + crlcheck = LDAP_OPT_X_TLS_CRL_ALL; + } + /* Sets the CRL evaluation strategy. */ + rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck); + if (rc) { + slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn", + "Could not set CRLCHECK [%d]: %d:%s\n", + crlcheck, rc, ldap_err2string(rc)); } } /* tell it where our cert db/file is */ diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index c7a8730..d0865e1 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -1696,7 +1696,7 @@ FrontendConfig_init(void) init_malloc_mmap_threshold = cfg->malloc_mmap_threshold = DEFAULT_MALLOC_UNSET; #endif - init_extract_pem = cfg->extract_pem = LDAP_OFF; + init_extract_pem = cfg->extract_pem = LDAP_ON; /* Done, unlock! */ CFG_UNLOCK_WRITE(cfg); diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index 52ac7ea..36b09fd 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -2462,7 +2462,7 @@ slapd_SSL_client_auth(LDAP *ld) errorCode, slapd_pr_strerror(errorCode)); } else { #if defined(USE_OPENLDAP) - if (slapi_client_uses_non_nss(ld)) { + if (slapi_client_uses_non_nss(ld) && config_get_extract_pem()) { char *certdir = config_get_certdir(); char *keyfile = NULL; char *certfile = NULL;