From Fedora Project Wiki

Revision as of 15:20, 6 October 2016 by Mhonek (talk | contribs) (→‎Testing)

Switch OpenLDAP from MozNSS to OpenSSL

Overview

TODO

Reasons

TODO

Dependents

389DS

Upstream patch that mirrors certificates to PEM files so that OpenSSL-built OpenLDAP library may be used, is supported since version 389-ds-base-1.3.5.

See the design document.

FreeIPA

BuildRequires: openldap-devel
Requires: openldap-clients

SSSD

BuildRequires: openldap-devel

dhcpd

BuildRequires: openldap-devel

python-ldap

BuildRequires: openldap-devel

Uses OpenSSL for TLS, so maybe not a problem?

others

TODO

Schedule

Fedora 26

Land the OpenSSL-built OpenLDAP. This should include the #Interception code with X_MOZNSS_COMPATIBILITY set on by default.

Fedora 27

Turn the #Interception code off by default, still being able to enable it with the X_MOZNSS_COMPATIBILITY.

Fedora 28

Drop the #Interception code patching entirely. All packages should be already fully functional with OpenSSL-built OpenLDAP not supporting MozNSS-specific functionality.

Implementation

The code handling possible MozNSS-specific configuration (#Interception code) should handle all possible use-cases (libldap, openldap-clients and openldap-servers packages). Briefly, the code should make usage of both, OpenSSL-specific and MozNSS-specific, configurations seamless with no more than setting the X_MOZNSS_COMPATIBILITY option on.

Build

Will build with ./configure --with-tls=openssl, dropping --with-tls=moznss. Also, MozNSS libs will be needed to be included so that the #Interception code works.

Interception code

Enabling

A yes/no options LDAP_OPT_X_MOZNSS_COMPATIBILITY (libldap), X_MOZNSS_COMPATIBILIY (ldap.conf, slapd.conf), and olcMozNSSCompatibility (slapd-config) may be used to explicitly set whether the #Interception code will be used.

Implementation

After parsing user options change these accordingly:

  • keep CACERT as set
  • if CACERTDIR is NSSDB then
    • if NSSDB is pin-protected then
      • unlock the DB using KEY
    • extract all CA certs to ca.pem
    • extract all CA certs from (DEFAULT_)MOZNSS_DIR environment variable to (default_)moznss_dir.pem
    • extract user cert and key to user.pem
    • get the randomly pre-generated DH params from NSSDB and put it into DHParamFile
    • update options so that they work for OpenSSL
  • go on

Considerations

PEM files location

We should keep the NSSDB in place, while creating a directory with the same owner and permissions for storing the extracted PEM files. If the directory cannot be created, we should temporarily put these to a tempdir (in /tmp).

CRLCheck and CRLFile options

NSS uses CRLFILE option only, whereas OpenSSL uses CRLCHECK bool.

NSS still used

Even though temporarily, NSS library is still used possibly causing some (although few) troubles.

Testing

Areas

Interception code functionality

Basic self-signed ca cert and user cert/key

TODO

With self-signed cert chain

TODO

Regressions

TODO

Dependent packages' tests

TODO

Testing Day(s)

TODO

Pitfalls

Downgrade

Will not be supported automatically. We should provide steps how to revert to NSSDB having OpenSSL-like configuration in place.

Mixed configuration options have undefined behaviour

If both, OpenSSL-like and MozNSS-like, configurations are used for various configuration parameters at the same time then the behaviour SHOULD not be destructive but it is undefined.