This is expected to be the only testing call for 2.4.48, with an anticipated release, depending on feedback, during the week of 2019/07/22.
Specific to this release, it would be helpful if anyone using back-ldap or back-meta with TLS can confirm their existing configurations continue to work (Due to the changes related to ITS#8427).
Generally, get the code for RE24:
Configure & build.
Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite.
Thanks!
OpenLDAP 2.4.48 Engineering Added libldap OpenSSL Elliptic Curve support (ITS#7595) Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671) Added slapd-monitor support for slapd-mdb (ITS#7770) Fixed liblber leaks (ITS#8727) Fixed liblber with partial flush (ITS#8864) Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980) Fixed libldap ASYNC connections with Solaris 10 (ITS#8968) Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585) Fixed libldap to use AI_ADDRCONFIG when available (ITS#7326) Fixed libldap to be able to unset syncrepl TLS options (ITS#7042) Fixed libldap race condition in ldap_int_initialize (ITS#7996, ITS#8450) Fixed libldap return code in ldap_create_assertion_control_value (ITS#8674) Fixed libldap to correctly disable IPv6 when configured to do so (ITS#8754) Fixed libldap to correctly close TLS connection (ITS#8755) Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353) Fixed liblunicode case correspondance (ITS#8508) Fixed slapd with an idletimeout of less than four seconds (ITS#8952) Fixed slapd config parser variable for Windows64 (ITS#9012) Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015) Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999) Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037) Fixed slapd TLS settings on reconnection (ITS#8427) Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038) Fixed slapd to initialize SASL SSF per connection (ITS#9052) Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990) Fixed slapd-ldap starttls connections timeout behavior (ITS#8963) Fixed slapd-ldap TLS settings on reconnection (ITS#8427) Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997) Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743) Fixed slapd-meta TLS settings on reconnection (ITS#8427) Fixed slapd-meta assertion when network interface goes down (ITS#8841) Fixed slapd-mdb fix bitshift integer overflow (ITS#8989) Fixed slapd-mdb index cleanup with cn=config (ITS#8472) Fixed slapd-mdb to improve performance with alias deref (ITS#7657) Fixed slapo-accesslog possible assert with exops (ITS#8971) Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637) Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799) Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663) Fixed slapo-memberof for group name change to itself (ITS#9000) Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349) Fixed slapo-rwm to not free original filter (ITS#8964) Fixed slapo-syncprov contextCSN generation (ITS#9015) Build Environment Fixed slapd to only link to BDB libraries with static build (ITS#8948) Fixed libldap implicit declaration with LDAP_CONNECTIONLESS (ITS#8794) Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041) Documentation General - Fixed minor typos (ITS#8764, ITS#8761) admin24 - Miscellaneous updates promoting mdb and fixing examples (ITS#9031) slapd.access(5) - Note MDB is the primary backend (ITS#8881) slapd.backends(5) - Note MDB is the recommended backend (ITS#8771) slapd-ldap(5) - Document starttls parameter (ITS#8693) Contrib Added slapo-lastbind capability to forward authTimestamp updates (ITS#7721)
LMDB 0.9.24 Engineering ITS#8969 Tweak mdb_page_split ITS#8975 WIN32 fix writemap set_mapsize crash ITS#9007 Fix loose pages in WRITEMAP
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Ok
merci
Cdt,
Olivier
Le lundi 15 juillet 2019 à 09:18 -0700, Quanah Gibson-Mount a écrit :
This is expected to be the only testing call for 2.4.48, with an anticipated release, depending on feedback, during the week of 2019/07/22.
Specific to this release, it would be helpful if anyone using back- ldap or back-meta with TLS can confirm their existing configurations continue to work (Due to the changes related to ITS#8427).
Generally, get the code for RE24:
< http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/he...
Configure & build.
Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite.
Thanks!
OpenLDAP 2.4.48 Engineering Added libldap OpenSSL Elliptic Curve support (ITS#7595) Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671) Added slapd-monitor support for slapd-mdb (ITS#7770) Fixed liblber leaks (ITS#8727) Fixed liblber with partial flush (ITS#8864) Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980) Fixed libldap ASYNC connections with Solaris 10 (ITS#8968) Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585) Fixed libldap to use AI_ADDRCONFIG when available (ITS#7326) Fixed libldap to be able to unset syncrepl TLS options (ITS#7042) Fixed libldap race condition in ldap_int_initialize (ITS#7996, ITS#8450) Fixed libldap return code in ldap_create_assertion_control_value (ITS#8674) Fixed libldap to correctly disable IPv6 when configured to do so (ITS#8754) Fixed libldap to correctly close TLS connection (ITS#8755) Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353) Fixed liblunicode case correspondance (ITS#8508) Fixed slapd with an idletimeout of less than four seconds (ITS#8952) Fixed slapd config parser variable for Windows64 (ITS#9012) Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015) Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999) Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037) Fixed slapd TLS settings on reconnection (ITS#8427) Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038) Fixed slapd to initialize SASL SSF per connection (ITS#9052) Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990) Fixed slapd-ldap starttls connections timeout behavior (ITS#8963) Fixed slapd-ldap TLS settings on reconnection (ITS#8427) Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997) Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743) Fixed slapd-meta TLS settings on reconnection (ITS#8427) Fixed slapd-meta assertion when network interface goes down (ITS#8841) Fixed slapd-mdb fix bitshift integer overflow (ITS#8989) Fixed slapd-mdb index cleanup with cn=config (ITS#8472) Fixed slapd-mdb to improve performance with alias deref (ITS#7657) Fixed slapo-accesslog possible assert with exops (ITS#8971) Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637) Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799) Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663) Fixed slapo-memberof for group name change to itself (ITS#9000) Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349) Fixed slapo-rwm to not free original filter (ITS#8964) Fixed slapo-syncprov contextCSN generation (ITS#9015) Build Environment Fixed slapd to only link to BDB libraries with static build (ITS#8948) Fixed libldap implicit declaration with LDAP_CONNECTIONLESS (ITS#8794) Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041) Documentation General - Fixed minor typos (ITS#8764, ITS#8761) admin24 - Miscellaneous updates promoting mdb and fixing examples (ITS#9031) slapd.access(5) - Note MDB is the primary backend (ITS#8881) slapd.backends(5) - Note MDB is the recommended backend (ITS#8771) slapd-ldap(5) - Document starttls parameter (ITS#8693) Contrib Added slapo-lastbind capability to forward authTimestamp updates (ITS#7721)
LMDB 0.9.24 Engineering ITS#8969 Tweak mdb_page_split ITS#8975 WIN32 fix writemap set_mapsize crash ITS#9007 Fix loose pages in WRITEMAP
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 7/15/19 6:18 PM, Quanah Gibson-Mount wrote:
This is expected to be the only testing call for 2.4.48, with an anticipated release, depending on feedback, during the week of 2019/07/22.
make test works.
revision 7c7f1f8 openSUSE Tumbleweed x86_64 gcc 9.1.1
My local Æ-DIR servers seem to work with build done in OBS [1].
But I'm still wondering why my ISC dhcpd does not work at all with libldap 2.4.48 installed from [1]. For me that's a real show-stopper.
Ciao, Michael.
[1] https://build.opensuse.org/package/show/home:stroeder:branches:home:stroeder...
--On Monday, July 15, 2019 11:24 PM +0200 Michael Ströder michael@stroeder.com wrote:
But I'm still wondering why my ISC dhcpd does not work at all with libldap 2.4.48 installed from [1]. For me that's a real show-stopper.
Just curious, does it work if you fully rebuild ISC dhcpd? I'm wondering if it was relying on one of the bugs in libldap/liblber that got fixed.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Monday, July 15, 2019 2:51 PM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
--On Monday, July 15, 2019 11:24 PM +0200 Michael Ströder michael@stroeder.com wrote:
But I'm still wondering why my ISC dhcpd does not work at all with libldap 2.4.48 installed from [1]. For me that's a real show-stopper.
Just curious, does it work if you fully rebuild ISC dhcpd? I'm wondering if it was relying on one of the bugs in libldap/liblber that got fixed.
Also, are you using it with TLS? There were a number of changes to TLS handling for 2.4.48. If you disable TLS (assuming it is enabled) in your configuration, does it work?
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 7/15/19 10:55 PM, Quanah Gibson-Mount wrote:
--On Monday, July 15, 2019 2:51 PM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
--On Monday, July 15, 2019 11:24 PM +0200 Michael Ströder michael@stroeder.com wrote:
But I'm still wondering why my ISC dhcpd does not work at all with libldap 2.4.48 installed from [1]. For me that's a real show-stopper.
Just curious, does it work if you fully rebuild ISC dhcpd? I'm wondering if it was relying on one of the bugs in libldap/liblber that got fixed.
Also, are you using it with TLS?
No.
Also I've double-checked with ldapsearch that access to ldap://127.0.0.1:389 with bind information configured in dhcpd.conf works.
Ciao, Michael.
On 7/15/19 10:51 PM, Quanah Gibson-Mount wrote:
--On Monday, July 15, 2019 11:24 PM +0200 Michael Ströder michael@stroeder.com wrote:
But I'm still wondering why my ISC dhcpd does not work at all with libldap 2.4.48 installed from [1]. For me that's a real show-stopper.
Just curious, does it work if you fully rebuild ISC dhcpd?
Started a local build of this package:
https://build.opensuse.org/build/home:stroeder:branches:home:stroeder:AE-DIR...
As you can see libldap-2_4-2-2.4.48-154.1 is used in the build VM from the local project home:stroeder:branches:home:stroeder:AE-DIR and I've added a separate RPM changelog entry.
It does not help.
I'm wondering if it was relying on one of the bugs in libldap/liblber that got fixed.
The libldap lines in CHANGES do not ring a bell at my side. Can you point me to a candidate?
Ciao, Michael.
--On Tuesday, July 16, 2019 1:17 AM +0200 Michael Ströder michael@stroeder.com wrote:
I'm wondering if it was relying on one of the bugs in libldap/liblber that got fixed.
The libldap lines in CHANGES do not ring a bell at my side. Can you point me to a candidate?
ITS#8450, ITS#7996 perhaps? they change the mutex initializations.
It would be interesting to see a gdb stack trace of the process of 2.4.47 vs 2.4.48.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hi Quanah
I tested the RE24 branch specifically for the ECC support, but the default behaviour seems to depend on the OpenSSL version.
With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not use ECC until I explicitly set a curve in oclTLSECName. There is no default value? This is contrary to expectation, most TLS enabled software enable ECC by default, based on the configured cipher string.
However with OpenSSL 1.1.1 (Arch Linux), it does work out of the box, and appears to use prime256v1,secp384r1,secp521r1 (openssl builtin default?).
But, I can only override it with a single curve, since oclTLSECName is single-valued. And colon, comma or otherwise separated is not accepted (TLS: could not use EC name `prime256v1,secp384r1,secp521r1').
OpenSSL supports multiple curves in configuration starting with 1.0.2, so I'd expect the same behaviour with 1.0.2 as with 1.1.1, not as with 1.0.1. So I'm confused, as the code seems to do nothing OpenSSL version specific.
Geert
It turns out that, with recent OpenSSL, OpenLDAP 2.4.47 already supports ECC ciphers - only not with a configurable curve. So probably probably OpenSSL made it available by default without needing application support.
Geert
On Tue, Jul 16, 2019 at 16:27:18 +0200, Geert Hendrickx wrote:
Hi Quanah
I tested the RE24 branch specifically for the ECC support, but the default behaviour seems to depend on the OpenSSL version.
With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not use ECC until I explicitly set a curve in oclTLSECName. There is no default value? This is contrary to expectation, most TLS enabled software enable ECC by default, based on the configured cipher string.
However with OpenSSL 1.1.1 (Arch Linux), it does work out of the box, and appears to use prime256v1,secp384r1,secp521r1 (openssl builtin default?).
But, I can only override it with a single curve, since oclTLSECName is single-valued. And colon, comma or otherwise separated is not accepted (TLS: could not use EC name `prime256v1,secp384r1,secp521r1').
OpenSSL supports multiple curves in configuration starting with 1.0.2, so I'd expect the same behaviour with 1.0.2 as with 1.1.1, not as with 1.0.1. So I'm confused, as the code seems to do nothing OpenSSL version specific.
Geert
--On Tuesday, July 16, 2019 5:27 PM +0200 Geert Hendrickx geert@hendrickx.be wrote:
With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not use ECC until I explicitly set a curve in oclTLSECName. There is no default value? This is contrary to expectation, most TLS enabled software enable ECC by default, based on the configured cipher string.
Hi Geert,
The OpenSSL API does not support more than 1 EC to be enabled per context.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On Tue, Jul 16, 2019 at 09:49:36 -0700, Quanah Gibson-Mount wrote:
--On Tuesday, July 16, 2019 5:27 PM +0200 Geert Hendrickx geert@hendrickx.be wrote:
With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not use ECC until I explicitly set a curve in olcTLSECName. There is no default value? This is contrary to expectation, most TLS enabled software enable ECC by default, based on the configured cipher string.
Hi Geert,
The OpenSSL API does not support more than 1 EC to be enabled per context.
Hmm, at least nginx and postfix support specifying multiple curves: https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_ecdh_curve http://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
Both specifically refer to OpenSSL >= 1.0.2
Geert
Geert Hendrickx wrote:
On Tue, Jul 16, 2019 at 09:49:36 -0700, Quanah Gibson-Mount wrote:
--On Tuesday, July 16, 2019 5:27 PM +0200 Geert Hendrickx geert@hendrickx.be wrote:
With OpenSSL 1.0.1 (CentOS 6) and OpenSSL 1.0.2 (CentOS 7), it does not use ECC until I explicitly set a curve in olcTLSECName. There is no default value? This is contrary to expectation, most TLS enabled software enable ECC by default, based on the configured cipher string.
Hi Geert,
The OpenSSL API does not support more than 1 EC to be enabled per context.
Hmm, at least nginx and postfix support specifying multiple curves: https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_ecdh_curve http://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
Both specifically refer to OpenSSL >= 1.0.2
Feel free to submit a patch. But it won't be in time for 2.4.48.
--On Tuesday, July 16, 2019 8:15 PM +0100 Howard Chu hyc@symas.com wrote:
Both specifically refer to OpenSSL >= 1.0.2
Feel free to submit a patch. But it won't be in time for 2.4.48.
I've filed https://www.openldap.org/its/index.cgi/?findid=9054 for tracking purposes.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
CHIROSSEL, Olivier -
Geert Hendrickx -
Howard Chu -
Michael Ströder -
Quanah Gibson-Mount