[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8485) [PATCH] Adding support for encrypted server private keys

To: openldap-its@OpenLDAP.org
Subject: (ITS#8485) [PATCH] Adding support for encrypted server private keys
From: ahnolds@gmail.com
Date: Mon, 29 Aug 2016 02:31:18 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Alec Cooper
Version: HEAD of master branch
OS: Ubuntu Linux 16.04
URL: ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch
Submission from: (NULL) (73.134.243.211)


Adding support for encrypted server private keys.

The meat of this patch is changes to tls2.c, tls_g.c, tls_m.c, and tls_o.c to
send a password to the underlying TLS library.

Changes to ldap.h, init.c and ldap-int.h expose the new
LDAP_OPT_X_TLS_KEYPASSWORD in the main API.

Changes in the contrib/ldapc++ directory expose the corresponding
TlsOptions::KEYPASSWORD option in the C++ API.

Changes in the servers directory expose equivalent options for servers as
configuration file entries or environment variables.

Changes in the doc directory add documentation about the new options and remove
statements that indicated that encrypted keyfiles are not supported.

New files in the test directory are for testing TLS connections, both in general
and with encrypted keyfiles. Tests pass for OpenSSL and GnuTLS using PEM
formatted certs and keys, and for MozNSS using cert/key databases. The new unit
test (test065-tls) has been written to detect when using NSS, and use the
cert/key databases in this case. I have been unable to get a working version of
libnsspem, so I cannot test MozNSS with (or without) encrypted keyfiles -
testing for this case would be welcome!

Notice of origin: The attached patch file is derived from OpenLDAP Software. All
of the modifications to OpenLDAP Software represented in the following patch
were developed by Alec Cooper ahnolds@gmail.com. I have not assigned rights
and/or interest in this work to any party.
Rights statement: I, Alec Cooper, hereby place the following modifications to
OpenLDAP Software (and only these modifications) into the public domain. Hence,
these modifications may be freely used and/or redistributed for any purpose with
or without attribution and/or other notice.

The patch has been uploaded to the OpenLDAP FTP server and can be found at
ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch

Prev by Date: Re: (ITS#7992) lmdb: Windows: assume file paths are UTF-8, encode to UTF-16 for WinAPI and enable compiling when UNICODE is defined
Next by Date: (ITS#8486) Syncprov sessionlog is inefficient, kills perf
Index(es):
- Chronological
- Thread