[Issue 10403] New: Add a configuration directive that uses the OpenSSL CONF API to allow openldap config files to set any configuration supported by that API, and to get new OpenSSL configuration capabilities through that API with no changes in openldap.
https://bugs.openldap.org/show_bug.cgi?id=10403
Issue ID: 10403 Summary: Add a configuration directive that uses the OpenSSL CONF API to allow openldap config files to set any configuration supported by that API, and to get new OpenSSL configuration capabilities through that API with no changes in openldap. Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: stephen.wall@redcom.com Target Milestone: ---
Created attachment 1090 --> https://bugs.openldap.org/attachment.cgi?id=1090&action=edit Add a configuration directive that uses the OpenSSL CONF API to allow openldap config files to set any configuration supported by that API, and to get new OpenSSL configuration capabilities through th
I am submitting a patch to create a new directive for OpenLDAP config files that uses the OpenSSL SSL_CONF API to allow configuration of any aspect of OpenSSL that the API supports without adding specific directives to OpenLDAP for them. When OpenSSL extends that API, all versions of OpenLDAP with thie patch will also support those extensions with no additional code.
https://bugs.openldap.org/show_bug.cgi?id=10403
--- Comment #1 from stephen.wall@redcom.com --- The attached file is derived from OpenLDAP Software All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by REDCOM Laboratories. Inc. REDCOM Laboratories has not assigned rights and/or interest in this work to any party. I, Stephen Wall, am authorized by REDCOM Laboratories, my employer, to release this work under the terms of the OpenLDAP Public License version 2.8 or newer.
https://bugs.openldap.org/show_bug.cgi?id=10403
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.7.0 Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=10403
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |IPR_OK
https://bugs.openldap.org/show_bug.cgi?id=10403
--- Comment #2 from stephen.wall@redcom.com --- Could someone review or approve this please?
https://bugs.openldap.org/show_bug.cgi?id=10403
--- Comment #3 from stephen.wall@redcom.com --- I can generate a pull request from my gitlab account if that helps...
https://bugs.openldap.org/show_bug.cgi?id=10403
--- Comment #4 from Ondřej Kuzník ondra@mistotebe.net --- Hi Stephen, could you outline how this relates to another TLS API related issue that has been handled recently: https://bugs.openldap.org/show_bug.cgi?id=10149
Is there any overlap or do they address completely different issues? Posting a usecase here would also be useful.
https://bugs.openldap.org/show_bug.cgi?id=10403
--- Comment #5 from stephen.wall@redcom.com --- I am uncertain about overlap. It's possible the functionality added in https://bugs.openldap.org/show_bug.cgi?id=10149 could also be done with this addition, but this patch also does much more. It allows direct use of any OpenSSL SSL_CONF directive in the OpenLDAP configuration file. As the SSL_CONF API is extended with new functionality, OpenLDAP gains access to those simply by running against the new libssl.
Some examples:
TLSOpenSSLConf "Ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256" TLSOpenSSLConf "MaxProtocol TLSv1.3" TLSOpenSSLConf "Options -SessionTicket" TLSOpenSSLConf "Options NoResumptionOnRenegotiation" TLSOpenSSLConf "Options -Compression" TLSOpenSSLConf "Options -UnsafeLegacyRenegotiation" TLSOpenSSLConf "Options -UnsafeLegacyServerConnect" TLSOpenSSLConf "SignatureAlgorithms ECDSA+SHA256:ECDSA+SHA384:ed25519:ed448" TLSOpenSSLConf "ClientSignatureAlgorithms ECDSA+SHA384:ed25519" TLSOpenSSLConf "Groups secp384r1:secp521r1:X25519"
Similarly from PHP:
ldap_set_option(NULL, LDAP_OPT_X_TLS_OPENSSL_CONF, "SignatureAlgorithms ECDSA+SHA384:ed25519");
https://bugs.openldap.org/show_bug.cgi?id=10403
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |hyc@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=10403
--- Comment #6 from Howard Chu hyc@openldap.org --- going from a multivalued LDAP config attribute to a concatenated ';' delimited string is a bit clunky but I guess it works. The code in tls_o.c should just use ldap_str2charray to parse the string back out.
I'm wondering if other TLS libraries will have analogous generic config functions that we can also use, i.e. whether this really needs to have an OpenSSL-specific name as well as being specific to that library.
https://bugs.openldap.org/show_bug.cgi?id=10403
--- Comment #7 from Howard Chu hyc@openldap.org --- I don't see any provision for deleting individual values from the configs in bconfig.c. That needs to be addressed.
I think it will be better overall to just make the internal structure store a charray, but that still doesn't address how to undo a setting when it's deleted from the config string.
https://bugs.openldap.org/show_bug.cgi?id=10403
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.7.0 |2.7.1
-
openldap-its@openldap.org