Issue 6349 - RFE - Use previously extracted key path #6363
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Tested with suites/replication/tls_client_auth_repl_test.py and suites/basic |
|
Looks good except a minor point: |
tbordaz
reviewed
Oct 16, 2024
There was a problem hiding this comment.
The change looks good except a doubt of a small memory leak.
If the concern was about the verbose warning in check_private_certdir you can also log it once, making the change smaller.
So your fix is to avoid those annoying logs and cleanup the code. Correct ?
Firstyear
force-pushed
the
6340-20241016-cert-warning
branch
from
c12d295 to
972775c
Compare
|
Good catch @tbordaz I have fixed both. |
We don't seem to have a shutdown call that I can use (unless I'm silly and couldn't see it). EDIT: We don't have one, so I added one. |
Firstyear
force-pushed
the
6340-20241016-cert-warning
branch
from
972775c to
9713792
Compare
Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: 389ds#6349 Author: William Brown <william@blackhats.net.au> Review by: ???
Firstyear
force-pushed
the
6340-20241016-cert-warning
branch
from
9713792 to
9c77e0e
Compare
Firstyear
added a commit
that referenced
this pull request
Oct 18, 2024
Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this pull request
Oct 18, 2024
Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this pull request
Oct 18, 2024
Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this pull request
Oct 18, 2024
Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this pull request
Oct 18, 2024
Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this pull request
Oct 18, 2024
Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)
Firstyear
added a commit
that referenced
this pull request
Oct 18, 2024
Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)
|
Firstyear
added a commit
to Firstyear/389-ds-base
that referenced
this pull request
Nov 6, 2024
Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: 389ds#6349 Author: William Brown <william@blackhats.net.au> Review by: ???
Firstyear
added a commit
that referenced
this pull request
Nov 7, 2024
Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz
Firstyear
added a commit
that referenced
this pull request
Nov 7, 2024
Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz
Firstyear
added a commit
that referenced
this pull request
Nov 7, 2024
Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz
Firstyear
added a commit
that referenced
this pull request
Nov 7, 2024
Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz
Firstyear
added a commit
that referenced
this pull request
Nov 7, 2024
Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz
Firstyear
added a commit
that referenced
this pull request
Nov 7, 2024
Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz
Firstyear
added a commit
to Firstyear/389-ds-base
that referenced
this pull request
Nov 21, 2024
Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: After more testing, if the connection is dropped and restarted, the certpath is retrieved but re-extraction does not occur. This still triggers the warning however. To resolve this, we only warn about the tpm namespace during library initialisation. I really hope I got it right this time :( fixes: 389ds#6349 Author: William Brown <william@blackhats.net.au> Review by: ???
Firstyear
added a commit
that referenced
this pull request
Nov 29, 2024
Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz
Firstyear
added a commit
that referenced
this pull request
Nov 29, 2024
Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a
container.
Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration.
fixes: #6340
Author: William Brown william@blackhats.net.au
Review by: ???