(Created page with "= Switch OpenLDAP from MozNSS to OpenSSL = == Overview == TODO == Reasons == TODO == Dependents == === 389DS === Upstream patch that mirrors certificates to PEM files so tha...") |
|||
| Line 51: | Line 51: | ||
*** unlock the DB using <code>KEY</code> | *** unlock the DB using <code>KEY</code> | ||
** extract all CA certs to <code>ca.pem</code> | ** extract all CA certs to <code>ca.pem</code> | ||
** extract all CA certs from <code> | ** extract all CA certs from <code>(DEFAULT_)MOZNSS_DIR</code> environment variable to <code>(default_)moznss_dir.pem</code> | ||
** extract user cert and key to <code>user.pem</code> | ** extract user cert and key to <code>user.pem</code> | ||
** get the randomly pre-generated DH params from NSSDB and put it into <code>DHParamFile</code> | ** get the randomly pre-generated DH params from NSSDB and put it into <code>DHParamFile</code> | ||
Revision as of 12:23, 6 October 2016
Switch OpenLDAP from MozNSS to OpenSSL
Overview
TODO
Reasons
TODO
Dependents
389DS
Upstream patch that mirrors certificates to PEM files so that OpenSSL-built OpenLDAP library may be used, is supported since version 389-ds-base-1.3.5.
See the design document.
FreeIPA
TODO
dhcpd
TODO
python-ldap
TODO
others
TODO
Schedule
Fedora 26
Land the OpenSSL-built OpenLDAP. This should include the #Interception code with X_MOZNSS_COMPATIBILITY set on by default.
Fedora 27
Turn the #Interception code off by default, still being able to enable it with the X_MOZNSS_COMPATIBILITY.
Fedora 28
Drop the #Interception code patching entirely. All packages should be already fully functional with OpenSSL-built OpenLDAP not supporting MozNSS-specific functionality.
Implementation
The code handling possible MozNSS-specific configuration (#Interception code) should handle all possible use-cases (libldap, openldap-clients and openldap-servers packages). Briefly, the code should make usage of both, OpenSSL-specific and MozNSS-specific, configurations seamless with no more than setting the X_MOZNSS_COMPATIBILITY option on.
Build
Will build with ./configure --with-tls=openssl, dropping --with-tls=moznss. Also, MozNSS libs will be needed to be included so that the #Interception code works.
Interception code
Enabling
A yes/no options LDAP_OPT_X_MOZNSS_COMPATIBILITY (libldap), X_MOZNSS_COMPATIBILIY (ldap.conf, slapd.conf), and olcMozNSSCompatibility (slapd-config) may be used to explicitly set whether the #Interception code will be used.
Implementation
After parsing user options change these accordingly:
- keep
CACERTas set - if
CACERTDIRis NSSDB then- if NSSDB is pin-protected then
- unlock the DB using
KEY
- unlock the DB using
- extract all CA certs to
ca.pem - extract all CA certs from
(DEFAULT_)MOZNSS_DIRenvironment variable to(default_)moznss_dir.pem - extract user cert and key to
user.pem - get the randomly pre-generated DH params from NSSDB and put it into
DHParamFile - update options so that they work for OpenSSL
- if NSSDB is pin-protected then
- go on
Considerations
PEM files location
We should keep the NSSDB in place, while creating a directory with the same owner and permissions for storing the extracted PEM files. If the directory cannot be created, we should temporarily put these to a tempdir (in /tmp).
CRLCheck and CRLFile options
NSS uses CRLFILE option only, whereas OpenSSL uses CRLCHECK bool.
NSS still used
Even though temporarily, NSS library is still used possibly causing some (although few) troubles.
Testing
Interception code functionality
Basic self-signed ca cert and user cert/key
TODO
With self-signed cert chain
TODO
Regressions
TODO
Dependent packages' tests
TODO
Pitfalls
Downgrade
TODO
Mixed configuration options have undefined behaviour
If both, OpenSSL-like and MozNSS-like, configurations are used for various configuration parameters at the same time then the behaviour SHOULD not be destructive but it is undefined.