From Fedora Project Wiki
(Created page with "= Switch OpenLDAP from NSS to OpenSSL - DRAFT= == Overview == Currently, OpenLDAP in Fedora is compiled with NSS for cypto. This document describes a way to let the OpenLDAP b...")
 
m (Fix typo)
 
(30 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= Switch OpenLDAP from NSS to OpenSSL - DRAFT=
<!-- The template for this is here [[Changes/EmptyTemplate]] and more info here [[Changes/Policy]] -->
== Overview ==
Currently, OpenLDAP in Fedora is compiled with NSS for cypto. This document describes a way to let the OpenLDAP be compiled with OpenSSL, instead.


== Reasons ==
= Switch OpenLDAP from NSS to OpenSSL =
OpenLDAP in Fedora is has been compiled with NSS for crypto for several years now. Support layer for NSS was added back in 2008 but the OpenLDAP upstream ceased to keep it up to date since 2014. Reasons for keeping OpenLDAP compiled with NSS was to make it work with some other packages (esp. 389DS) seamlessly. Fixing and keeping downstream patches has become a burden, thus it was decided to switch to OpenSSL, instead.


== Dependents ==
== Summary ==
=== 389DS ===
Currently, [http://www.openldap.org/ OpenLDAP] in Fedora is compiled with [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS (aka MozNSS)] for crypto. OpenLDAP is going to be compiled with [https://www.openssl.org/ OpenSSL], instead.
Upstream patch that mirrors certificates to PEM files so that OpenSSL-built OpenLDAP library may be used, is supported since version <code>389-ds-base-1.3.5</code>.
 
== Owner ==
* Name: [[User:mhonek|Matus Honek]]
* Email: mhonek (at) redhat.com
* Release notes ticket: [https://pagure.io/fedora-docs/release-notes/issue/120 #120]<!-- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
<!-- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
-->
<!-- UNCOMMENT only if this Change aims specific product, working group (Cloud, Workstation, Server, Base, Env & Stacks)
* Product:
* Responsible WG:
-->


See [http://www.port389.org/docs/389ds/design/allow-usage-of-openldap-lib-w-openssl.html the design document].
== Current status ==
* Targeted release: [[Releases/28 | Fedora 28 ]]
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page
Bugzilla states meaning as usual:
NEW -> change proposal is submitted and announced
ASSIGNED -> accepted by FESCo with on going development
MODIFIED -> change is substantially done and testable
ON_QA -> change is code completed and could be tested in the Beta release (optionally by QA)
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1413515 #1413515]


=== FreeIPA ===
== Detailed Description ==
<pre>
=== Insight ===
BuildRequires: openldap-devel
OpenLDAP in Fedora has been compiled with NSS for crypto for several years now. Support layer for NSS was added back in 2008 but the OpenLDAP upstream ceased to keep it up to date since 2014. Reasons for keeping OpenLDAP compiled with NSS was to make it work with some other packages (esp. 389DS) seamlessly. Fixing and keeping downstream patches has become a burden, thus it was decided to switch to OpenSSL, instead.
Requires: openldap-clients
</pre>


=== SSSD ===
=== Dependents ===
<pre>
==== 389DS ====
BuildRequires: openldap-devel
Upstream patch that mirrors certificates to PEM files so that OpenSSL-built OpenLDAP library may be used, is supported since version <code>389-ds-base-1.3.5</code>.
</pre>


=== dhcpd ===
See [http://www.port389.org/docs/389ds/design/allow-usage-of-openldap-lib-w-openssl.html the design document].
<pre>
BuildRequires: openldap-devel
</pre>


=== python-ldap ===
==== FreeIPA ====
<pre>
* BuildRequires openldap-devel
BuildRequires: openldap-devel
* Requires openldap-clients
</pre>
Uses OpenSSL for TLS, so maybe not a problem?


=== others ===
==== SSSD ====
TODO
* BuildRequires openldap-devel


== Schedule ==
==== other ====
=== Prerequisities ===
* dhcpd: BuildRequires openldap-devel
* Finish this design.
* python-ldap: BuildRequires openldap-devel; uses OpenSSL for TLS, so maybe not a problem?
* Discuss with closely related teams (389DS - done, SSSD, FreeIPA).
* Reach out to the Fedora community with a request for comments, especialy those that Require or BuildRequire OpenLDAP.


=== Test Day ===
=== Schedule ===
TODO
This is the proposed timeline that aims for clean adaptation by other components and users. In later Fedora releases the actual timelines may change.


=== Fedora 26 ===
==== Fedora 28 ====
* Land the OpenSSL-built OpenLDAP. This should include the [[#Interception code]] with <code>X_MOZNSS_COMPATIBILITY</code> set on by default.
* Land the OpenSSL-built OpenLDAP.
* Include the [[#Interception code]].
* Have <code>X_MOZNSS_COMPATIBILITY</code> implicitly set on by default.
* Include a deprecation warning.
* Include a deprecation warning.


=== Fedora 27 ===
==== Fedora 29 ====
* Turn the [[#Interception code]] off by default, still being able to enable it with the <code>X_MOZNSS_COMPATIBILITY</code>.
* Have <code>X_MOZNSS_COMPATIBILITY</code> implicitly set off by default.


=== Fedora 28 ===
==== Fedora 30 ====
* Drop the [[#Interception code]] patching entirely. All packages should be already fully functional with OpenSSL-built OpenLDAP not supporting NSS-specific functionality.
* Drop the [[#Interception code]] patching entirely.
* Drop the deprecation warning.
* Drop the deprecation warning.


== Implementation ==
=== Implementation ===
The code handling possible NSS-specific configuration ([[#Interception code]]) should handle all possible use-cases (libldap, openldap-clients and openldap-servers packages). Briefly, the code should make usage of both, OpenSSL-specific and NSS-specific, configurations seamless with no more than setting the <code>X_MOZNSS_COMPATIBILITY</code> option on.
The code handling possible NSS-specific configuration ([[#Interception code]]) should handle all possible use-cases (libldap, openldap-clients and openldap-servers packages). Briefly, the code should make usage of both, OpenSSL-specific and NSS-specific, configurations seamless with no more than setting the <code>X_MOZNSS_COMPATIBILITY</code> option on.


=== Build ===
==== Build ====
Will build with <code>./configure --with-tls=openssl</code>, dropping <code>--with-tls=moznss</code>. Also, NSS libs will be needed to be included so that the [[#Interception code]] works.
Will build with <code>./configure --with-tls=openssl</code>, dropping <code>--with-tls=moznss</code>. Also, NSS libs will be needed to be included so that the [[#Interception code]] works.


=== Interception code ===
==== Interception code ====
==== Enabling ====
===== Enabling =====
A <code>yes</code>/<code>no</code> options <code>LDAP_OPT_X_MOZNSS_COMPATIBILITY</code> (libldap), <code>X_MOZNSS_COMPATIBILIY</code> (ldap.conf, slapd.conf), and <code>olcMozNSSCompatibility</code> (slapd-config) may be used to explicitly set whether the [[#Interception code]] will be used.
A <code>yes</code>/<code>no</code> options <code>LDAP_OPT_X_MOZNSS_COMPATIBILITY</code> (libldap), <code>X_MOZNSS_COMPATIBILIY</code> (ldap.conf, slapd.conf), and <code>olcMozNSSCompatibility</code> (slapd-config) may be used to explicitly set whether the [[#Interception code]] will be used.


==== Implementation ====
===== Implementation =====
After parsing user options change these accordingly:
After parsing user options change these accordingly:
* keep <code>CACERT</code> as set
* keep <code>CACERT</code> as set
* if <code>CACERTDIR</code> is NSSDB then
* if <code>CACERTDIR</code> is NSSDB then
** if NSSDB is pin-protected then
** if NSSDB is pin-protected then unlock it using <code>KEY</code>
*** unlock the DB using <code>KEY</code>
** extract all CA certs to <code>ca.pem</code>
** extract all CA certs to <code>ca.pem</code>
** extract all CA certs from <code>(DEFAULT_)MOZNSS_DIR</code> environment variable to <code>(default_)moznss_dir.pem</code>
** extract all CA certs from <code>(DEFAULT_)MOZNSS_DIR</code> environment variable to <code>(default_)moznss_dir.pem</code>
Line 78: Line 88:
** get the randomly pre-generated DH params from NSSDB and put it into <code>DHParamFile</code>
** get the randomly pre-generated DH params from NSSDB and put it into <code>DHParamFile</code>
** update options so that they work for OpenSSL
** update options so that they work for OpenSSL
* go on
** tear down the NSS context
* go on with OpenSSL only
 
Although all configuration and runtime cases should be handled, in case the [[#Interception code]] is not able to continue as expected it should fail cleanly with an appropriate error.


==== Considerations ====
===== Considerations =====
===== PEM files location =====
====== PEM files location ======
We should keep the NSSDB in place, while creating a directory with the same owner and permissions for storing the extracted PEM files. If the directory cannot be created, we should temporarily put these to a tempdir (in <code>/tmp</code>).
We should keep the NSSDB in place, while creating a directory with the same owner and permissions for storing the extracted PEM files. If the directory cannot be created, we should temporarily put these to a tempdir (in <code>/tmp</code>).


===== CRLCheck and CRLFile options =====
====== CRLCheck and CRLFile options ======
NSS uses <code>CRLFILE</code> option only, whereas OpenSSL uses <code>CRLCHECK</code> bool.
NSS uses <code>CRLFILE</code> option only, whereas OpenSSL uses <code>CRLCHECK</code> bool. There is no feasible way to be backward-compatible.


===== NSS still used =====
====== NSS still used ======
Even though temporarily, NSS library is still used possibly causing some (although few) troubles.
Even though temporarily, NSS library is still used possibly causing some (although few) troubles.


== Testing ==
=== Pitfalls ===
=== Areas ===
==== Downgrade ====
==== Interception code functionality ====
Will not be supported automatically. We should provide steps how to revert to NSSDB having OpenSSL-like configuration in place.
===== Basic self-signed ca cert and user cert/key =====
TODO


===== With self-signed cert chain =====
==== Mixed configuration options have undefined behaviour ====
TODO
If both, OpenSSL-like and NSS-like, configurations are used for various configuration parameters at the same time then the behaviour SHOULD not be destructive but it is undefined.


==== Regressions ====
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
TODO


==== Dependent packages' tests ====
== Benefit to Fedora ==
TODO
Support from upstream -- currently, most bugs are related to MozNSS and upstream refuses to bother with our TLS or PKI related issues as they do not support MozNSS anymore.
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->


=== Testing Day(s) ===
== Scope ==
TODO
* Proposal owners: write the [[#Interception code]].
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
* Other developers: ensure usage of OpenSSL-like TLS configuration based on the [[#Schedule]].
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
* Release engineering: [https://pagure.io/releng/issue/6891]
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.
Please work with releng prior to feature submission, and ensure that someone is on board to do any process development work and testing; don't just assume that a bullet point in a change puts someone else on the hook.-->
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: Not affected <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
 
* Policies and guidelines: none.
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
 
* Trademark approval: none.
<!-- If your Change may require trademark approval (for example, if it is a new Spin), file a ticket ( https://fedorahosted.org/council/ ) requesting trademark approval from the Fedora Council. This approval will be done via the Council's consensus-based process. -->
 
== Upgrade/compatibility impact ==
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
No issues should occur in the first phase (see [[#Schedule]]).
 
== How To Test ==
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.
 
Remember that you are writing this how to for interested testers to use to check out your change implementation - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your change.
 
A good "how to test" should answer these four questions:
 
0. What special hardware / data / etc. is needed (if any)?
1. How do I prepare my system to test this change? What packages
need to be installed, config files edited, etc.?
2. What specific actions do I perform to check that the change is
working like it's supposed to?
3. What are the expected results of those actions?
-->
 
* This change is not hardware-specific.
* This changes the <code>libldap</code> library, thus all packages of the OpenLDAP component are affected, as well as all the other packages that Require or BuildRequire some of OpenLDAP packages.
* Testing
*# Sanity testing should be done for both MozNSS-NSSDB-like and OpenSSL-like configuration and for each of the following specifics:
*#* Basic self-signed CA cert and user cert/key
*#* Self-signed CA cert chain
*# Dependent packages' tests
All configurations should work as expected, no regression should occur.
 
== User Experience ==
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
No changes should occur. However, from the third phase (see [[#Schedule]]) on users will not be able to use NSSDB.
 
== Dependencies ==
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this change depends?  In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel change)? -->
This change does not depend on any other change.
 
== Contingency Plan ==
 
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: revert the patches implementing the change. No external changes would be required.
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: beta freeze.
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? No.
* Blocks product? No.
 
== Documentation ==
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
[[OpenLDAP-and-MozNSS-Compatibility-Layer]]
 
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this change, indicate them here.  A link to upstream documentation will often satisfy this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release.
 
Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze.
-->
 
[[Category:ChangeAcceptedF28]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
 
<!-- Select proper category, default is Self Contained Change -->
<!-- [[Category:SelfContainedChange]] -->
[[Category:SystemWideChange]]


== Pitfalls ==
=== Downgrade ===
Will not be supported automatically. We should provide steps how to revert to NSSDB having OpenSSL-like configuration in place.


=== Mixed configuration options have undefined behaviour ===
---------------------------------------------------------------
If both, OpenSSL-like and NSS-like, configurations are used for various configuration parameters at the same time then the behaviour SHOULD not be destructive but it is undefined.

Latest revision as of 15:34, 3 April 2018


Switch OpenLDAP from NSS to OpenSSL

Summary

Currently, OpenLDAP in Fedora is compiled with NSS (aka MozNSS) for crypto. OpenLDAP is going to be compiled with OpenSSL, instead.

Owner

Current status

Detailed Description

Insight

OpenLDAP in Fedora has been compiled with NSS for crypto for several years now. Support layer for NSS was added back in 2008 but the OpenLDAP upstream ceased to keep it up to date since 2014. Reasons for keeping OpenLDAP compiled with NSS was to make it work with some other packages (esp. 389DS) seamlessly. Fixing and keeping downstream patches has become a burden, thus it was decided to switch to OpenSSL, instead.

Dependents

389DS

Upstream patch that mirrors certificates to PEM files so that OpenSSL-built OpenLDAP library may be used, is supported since version 389-ds-base-1.3.5.

See the design document.

FreeIPA

  • BuildRequires openldap-devel
  • Requires openldap-clients

SSSD

  • BuildRequires openldap-devel

other

  • dhcpd: BuildRequires openldap-devel
  • python-ldap: BuildRequires openldap-devel; uses OpenSSL for TLS, so maybe not a problem?

Schedule

This is the proposed timeline that aims for clean adaptation by other components and users. In later Fedora releases the actual timelines may change.

Fedora 28

  • Land the OpenSSL-built OpenLDAP.
  • Include the #Interception code.
  • Have X_MOZNSS_COMPATIBILITY implicitly set on by default.
  • Include a deprecation warning.

Fedora 29

  • Have X_MOZNSS_COMPATIBILITY implicitly set off by default.

Fedora 30

Implementation

The code handling possible NSS-specific configuration (#Interception code) should handle all possible use-cases (libldap, openldap-clients and openldap-servers packages). Briefly, the code should make usage of both, OpenSSL-specific and NSS-specific, configurations seamless with no more than setting the X_MOZNSS_COMPATIBILITY option on.

Build

Will build with ./configure --with-tls=openssl, dropping --with-tls=moznss. Also, NSS libs will be needed to be included so that the #Interception code works.

Interception code

Enabling

A yes/no options LDAP_OPT_X_MOZNSS_COMPATIBILITY (libldap), X_MOZNSS_COMPATIBILIY (ldap.conf, slapd.conf), and olcMozNSSCompatibility (slapd-config) may be used to explicitly set whether the #Interception code will be used.

Implementation

After parsing user options change these accordingly:

  • keep CACERT as set
  • if CACERTDIR is NSSDB then
    • if NSSDB is pin-protected then unlock it using KEY
    • extract all CA certs to ca.pem
    • extract all CA certs from (DEFAULT_)MOZNSS_DIR environment variable to (default_)moznss_dir.pem
    • extract user cert and key to user.pem
    • get the randomly pre-generated DH params from NSSDB and put it into DHParamFile
    • update options so that they work for OpenSSL
    • tear down the NSS context
  • go on with OpenSSL only

Although all configuration and runtime cases should be handled, in case the #Interception code is not able to continue as expected it should fail cleanly with an appropriate error.

Considerations
PEM files location

We should keep the NSSDB in place, while creating a directory with the same owner and permissions for storing the extracted PEM files. If the directory cannot be created, we should temporarily put these to a tempdir (in /tmp).

CRLCheck and CRLFile options

NSS uses CRLFILE option only, whereas OpenSSL uses CRLCHECK bool. There is no feasible way to be backward-compatible.

NSS still used

Even though temporarily, NSS library is still used possibly causing some (although few) troubles.

Pitfalls

Downgrade

Will not be supported automatically. We should provide steps how to revert to NSSDB having OpenSSL-like configuration in place.

Mixed configuration options have undefined behaviour

If both, OpenSSL-like and NSS-like, configurations are used for various configuration parameters at the same time then the behaviour SHOULD not be destructive but it is undefined.


Benefit to Fedora

Support from upstream -- currently, most bugs are related to MozNSS and upstream refuses to bother with our TLS or PKI related issues as they do not support MozNSS anymore.

Scope

  • Other developers: ensure usage of OpenSSL-like TLS configuration based on the #Schedule.
  • Policies and guidelines: none.
  • Trademark approval: none.

Upgrade/compatibility impact

No issues should occur in the first phase (see #Schedule).

How To Test

  • This change is not hardware-specific.
  • This changes the libldap library, thus all packages of the OpenLDAP component are affected, as well as all the other packages that Require or BuildRequire some of OpenLDAP packages.
  • Testing
    1. Sanity testing should be done for both MozNSS-NSSDB-like and OpenSSL-like configuration and for each of the following specifics:
      • Basic self-signed CA cert and user cert/key
      • Self-signed CA cert chain
    2. Dependent packages' tests

All configurations should work as expected, no regression should occur.

User Experience

No changes should occur. However, from the third phase (see #Schedule) on users will not be able to use NSSDB.

Dependencies

This change does not depend on any other change.

Contingency Plan

  • Contingency mechanism: revert the patches implementing the change. No external changes would be required.
  • Contingency deadline: beta freeze.
  • Blocks release? No.
  • Blocks product? No.

Documentation

OpenLDAP-and-MozNSS-Compatibility-Layer

Release Notes