This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.3.7
in repository 389-ds-base.
commit b68d3cb9a440a5bea74eaa78b8a1cf732c45d4fc
Author: Thierry Bordaz <tbordaz@redhat.com>
Date: Tue Feb 6 19:49:22 2018 +0100
Ticket 49560 - nsslapd-extract-pemfiles should be enabled by default as openldap is moving to openssl
Bug Description:
Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL),
the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE,
need to specify path to PEM files.
Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx
Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'.
The default value is 'off', that prevent secure outgoing connection.
Fix Description:
Enable nsslapd-extract-pemfiles by default
Then when establishing an outgoing connection, if it is not using NSS crypto layer
and the pem files have been extracted then use the PEM files
https://pagure.io/389-ds-base/issue/49560
Reviewed by: mreynolds & mhonek
Platforms tested: RHEL 7.5
Flag Day: no
Doc impact: no
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
(cherry picked from commit 8304caec593b591558c9c18de9bcb6b2f23db5b6)
---
ldap/servers/slapd/ldaputil.c | 32 ++++++++++++++++----------------
ldap/servers/slapd/libglobs.c | 2 +-
ldap/servers/slapd/ssl.c | 2 +-
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index 2fc2f06..fcf22e6 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -591,7 +591,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
"failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
}
- if (slapi_client_uses_non_nss(ld)) {
+ if (slapi_client_uses_non_nss(ld) && config_get_extract_pem()) {
cacert = slapi_get_cacertfile();
if (cacert) {
/* CA Cert PEM file exists. Set the path to openldap option. */
@@ -602,21 +602,21 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
cacert, rc, ldap_err2string(rc));
}
}
- if (slapi_client_uses_openssl(ld)) {
- int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
- tls_check_crl_t tls_check_state = config_get_tls_check_crl();
- if (tls_check_state == TLS_CHECK_PEER) {
- crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
- } else if (tls_check_state == TLS_CHECK_ALL) {
- crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
- }
- /* Sets the CRL evaluation strategy. */
- rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
- if (rc) {
- slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
- "Could not set CRLCHECK [%d]: %d:%s\n",
- crlcheck, rc, ldap_err2string(rc));
- }
+ }
+ if (slapi_client_uses_openssl(ld)) {
+ int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
+ tls_check_crl_t tls_check_state = config_get_tls_check_crl();
+ if (tls_check_state == TLS_CHECK_PEER) {
+ crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
+ } else if (tls_check_state == TLS_CHECK_ALL) {
+ crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
+ }
+ /* Sets the CRL evaluation strategy. */
+ rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
+ if (rc) {
+ slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
+ "Could not set CRLCHECK [%d]: %d:%s\n",
+ crlcheck, rc, ldap_err2string(rc));
}
}
/* tell it where our cert db/file is */
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index eb6552a..3bd5c18 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1688,7 +1688,7 @@ FrontendConfig_init(void)
init_malloc_mmap_threshold = cfg->malloc_mmap_threshold = DEFAULT_MALLOC_UNSET;
No comments:
Post a Comment