link against moznss again (#1187742)

Revert "link against openssl by default" This reverts commit 72da77adb6.
2015-02-20 11:01:37 +01:00 · 2015-02-20 11:01:37 +01:00 · 592250ebfb
commit 592250ebfb
parent 1fb41f2a59
12 changed files with 1654 additions and 21 deletions
--- a/openldap-autoconf-pkgconfig-nss.patch
+++ b/openldap-autoconf-pkgconfig-nss.patch
@ -0,0 +1,49 @@
 Use pkg-config for Mozilla NSS library detection
 Author: Jan Vcelak <jvcelak@redhat.com>
 ---
 configure.in | 22 +++++-----------------
 1 file changed, 5 insertions(+), 17 deletions(-)
 diff --git a/configure.in b/configure.in
 index ecffe30..2a9cfb4 100644
 --- a/configure.in
 +++ b/configure.in
@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then
 	fi
 fi
 -dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3
 -dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs
 -dnl are not in the default system location
 if test $ol_link_tls = no ; then
 	if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then
 -		have_moznss=no
 -		AC_CHECK_HEADERS([nssutil.h])
 -		if test "$ac_cv_header_nssutil_h" = yes ; then
 -			AC_CHECK_LIB([nss3], [NSS_Initialize],
 -						 [ have_moznss=yes ], [ have_moznss=no ])
 -		fi
 +		PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no])
 -		if test "$have_moznss" = yes ; then
 +		if test $have_moznss = yes ; then
 			ol_with_tls=moznss
 			ol_link_tls=yes
 -			AC_DEFINE(HAVE_MOZNSS, 1, 
 -					  [define if you have MozNSS])
 -			TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
 -		else
 -			if test $ol_with_tls = moznss ; then
 -			AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)])
 -			fi
 +			AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS])
 +			TLS_LIBS="$MOZNSS_LIBS"
 +			CFLAGS="$CFLAGS $MOZNSS_CFLAGS"
 		fi
 	fi
 fi
 -- 
 1.7.11.7
--- a/openldap-nss-allow-certname-with-token-name.patch
+++ b/openldap-nss-allow-certname-with-token-name.patch
@ -0,0 +1,47 @@
 Accept nss certificate name in the form of tokenname:certnickname
 Author: Rich Megginson <rmeggins@redhat.com>
 Upstream ITS: #7360
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 index 5022efb..7377bb1 100644
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
@@ -2102,6 +2102,22 @@ tlsm_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 	return 0;
 }
 +/* returns true if the given string looks like 
 +   "tokenname" ":" "certnickname"
 +   This is true if there is a ':' colon character
 +   in the string and the colon is not the first
 +   or the last character in the string
 +*/
 +static int
 +tlsm_is_tokenname_certnick( const char *certfile )
 +{
 +	if ( certfile ) {
 +		const char *ptr = PL_strchr( certfile, ':' );
 +		return ptr && (ptr != certfile) && (*(ptr+1));
 +	}
 +	return 0;
 +}
 +
 static int
 tlsm_deferred_ctx_init( void *arg )
 {
@@ -2268,7 +2284,10 @@ tlsm_deferred_ctx_init( void *arg )
 		} else {
 			char *tmp_certname;
 -			if (ctx->tc_certdb_slot) {
 +			if (tlsm_is_tokenname_certnick(lt->lt_certfile)) {
 +				/* assume already in form tokenname:certnickname */
 +				tmp_certname = PL_strdup(lt->lt_certfile);
 +			} else if (ctx->tc_certdb_slot) {
 				tmp_certname = PR_smprintf(TLSM_CERTDB_DESC_FMT ":%s", ctx->tc_unique, lt->lt_certfile);
 			} else {
 				tmp_certname = PR_smprintf("%s", lt->lt_certfile);
 -- 
 1.7.11.4
--- a/openldap-nss-certs-from-certdb-fallback-pem.patch
+++ b/openldap-nss-certs-from-certdb-fallback-pem.patch
@ -0,0 +1,86 @@
 MozNSS: load certificates from certdb, fallback to PEM
 If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
 certificate database, the backend assumed that the certificate is always
 located in the certificate database. This assumption might be wrong.
 This patch makes the library to try to load the certificate from NSS
 database and fallback to PEM file if unsuccessfull.
 Author: Jan Vcelak <jvcelak@redhat.com>
 Upstream ITS: #7389
 Resolves: #857455
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 index 6847bea..8339391 100644
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx )
 	/* prefer unlocked key, then key from opened certdb, then any other */
 	if ( unlocked_key )
 		ctx->tc_private_key = unlocked_key;
 -	else if ( ctx->tc_certdb_slot )
 +	else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem )
 		ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg );
 	else
 		ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg );
@@ -1909,8 +1909,6 @@ tlsm_deferred_init( void *arg )
 				}
 				return -1;
 			}
 -
 -			ctx->tc_using_pem = PR_TRUE;
 		}
 		NSS_SetDomesticPolicy();
@@ -2363,15 +2361,9 @@ tlsm_deferred_ctx_init( void *arg )
 	/* set up our cert and key, if any */
 	if ( lt->lt_certfile ) {
 -		/* if using the PEM module, load the PEM file specified by lt_certfile */
 -		/* otherwise, assume this is the name of a cert already in the db */
 -		if ( ctx->tc_using_pem ) {
 -			/* this sets ctx->tc_certificate to the correct value */
 -			int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE );
 -			if ( rc ) {
 -				return rc;
 -			}
 -		} else {
 +
 +		/* first search in certdb (lt_certfile is nickname) */
 +		if ( ctx->tc_certdb ) {
 			char *tmp_certname;
 			if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) {
@@ -2391,8 +2383,31 @@ tlsm_deferred_ctx_init( void *arg )
 				Debug( LDAP_DEBUG_ANY,
 					   "TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
 					   lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
 +			}
 +		}
 +
 +		/* fallback to PEM module (lt_certfile is filename) */
 +		if ( !ctx->tc_certificate ) {
 +			if ( !pem_module && tlsm_init_pem_module() ) {
 +				int pem_errcode = PORT_GetError();
 +				Debug( LDAP_DEBUG_ANY,
 +					   "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n",
 +					   pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
 				return -1;
 			}
 +
 +			/* this sets ctx->tc_certificate to the correct value */
 +			if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) {
 +				ctx->tc_using_pem = PR_TRUE;
 +			}
 +		}
 +
 +		if ( ctx->tc_certificate ) {
 +			Debug( LDAP_DEBUG_ANY,
 +				   "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile,
 +				   ctx->tc_using_pem ? "PEM file" : "moznss database", 0);
 +		} else {
 +			return -1;
 		}
 	}
--- a/openldap-nss-default-cipher-suite-always-selected.patch
+++ b/openldap-nss-default-cipher-suite-always-selected.patch
@ -0,0 +1,34 @@
 MozNSS: default cipher suite always selected
 Author: Tim Strobell <tim.strobell.ctr@nrl.navy.mil>
 Upstream ITS: #7285
 Upstream commit: 2c2bb2e7aee1b2167f383a8344985a1cf66aff3f
 Resolves: #828790
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 index 23d843c..b608551 100644
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
@@ -2218,12 +2218,13 @@ tlsm_deferred_ctx_init( void *arg )
 		return -1;
 	}
 - 	if ( lt->lt_ciphersuite &&
 -	     tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
 - 		Debug( LDAP_DEBUG_ANY,
 -		       "TLS: could not set cipher list %s.\n",
 -		       lt->lt_ciphersuite, 0, 0 );
 -		return -1;
 +	if ( lt->lt_ciphersuite ) {
 +		if ( tlsm_parse_ciphers( ctx, lt->lt_ciphersuite ) ) {
 +			Debug( LDAP_DEBUG_ANY,
 +			       "TLS: could not set cipher list %s.\n",
 +			       lt->lt_ciphersuite, 0, 0 );
 +			return -1;
 +		}
 	} else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
  		Debug( LDAP_DEBUG_ANY,
 		       "TLS: could not set cipher list DEFAULT.\n",
 -- 
 1.7.10.4
--- a/openldap-nss-ignore-certdb-type-prefix.patch
+++ b/openldap-nss-ignore-certdb-type-prefix.patch
@ -0,0 +1,47 @@
 MozNSS: ignore certdb database type prefix when checking existence of the directory
 If the certdb is specified including the database type prefix (e.g.
 sql:, dbm:), the prefix has to be ignored when checking the
 certificate directory existence.
 Author: Jan Vcelak <jvcelak@redhat.com>
 Upstream ITS: #7388
 Resolves: #857373
 ---
 libraries/libldap/tls_m.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 index 49a3f8f..5ee21a2 100644
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
@@ -1633,6 +1633,7 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
 {
 	char sep = PR_GetDirectorySeparator();
 	char *ptr = NULL;
 +	char *chkpath = NULL;
 	struct PRFileInfo prfi;
 	PRStatus prc;
@@ -1643,8 +1644,16 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
 		return;
 	}
 -	prc = PR_GetFileInfo( certdir, &prfi );
 +	/* ignore database type prefix (e.g. sql:, dbm:) if provided */
 +	chkpath = strchr( certdir, ':' );
 +	if ( chkpath != NULL ) {
 +		chkpath += 1;
 +	} else {
 +		chkpath = certdir;
 +	}
 +
 	/* if certdir exists (file or directory) then it cannot specify a prefix */
 +	prc = PR_GetFileInfo( chkpath, &prfi );
 	if ( prc == PR_SUCCESS ) {
 		return;
 	}
 -- 
 1.7.11.7
--- a/openldap-nss-multiple-tls-contexts.patch
+++ b/openldap-nss-multiple-tls-contexts.patch
--- a/openldap-nss-pk11-freeslot.patch
+++ b/openldap-nss-pk11-freeslot.patch
@ -0,0 +1,23 @@
 Resolves: #929357
 Upstream commit: 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec
 Author: Rich Megginson <rmeggins@redhat.com>
 Date: Thu, 28 Mar 2013 19:05:02 -0600
 Modified by: Jan Synacek <jsynacek@redhat.com>
 This patch has been re-diffed so it clearly applies to OpenLDAP 2.4.39.
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 index 072d41d..c59d303 100644
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
@@ -2151,6 +2151,8 @@
 				   "TLS: could not close certdb slot - error %d:%s.\n",
 				   errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
 		}
 +		PK11_FreeSlot( c->tc_certdb_slot );
 +		c->tc_certdb_slot = NULL;
 	}
 	if ( c->tc_pin_file ) {
 		PL_strfree( c->tc_pin_file );
--- a/openldap-nss-regex-search-hashed-cacert-dir.patch
+++ b/openldap-nss-regex-search-hashed-cacert-dir.patch
@ -0,0 +1,91 @@
 MozNSS: better file name matching for hashed CA  certificate directory
 CA certificate files in OpenSSL compatible CACERTDIR were loaded if the file extension was '.0'. However the file name
 should be 8 letters long certificate hash of the certificate subject name, followed by a numeric suffix which is used
 to differentiate between two certificates with the same subject name.
 Wit this patch, certificate file names are matched correctly (using regular expressions).
 Author: Jan Vcelak <jvcelak@redhat.com>
 Upstream ITS: #7374
 Resolves: #852786
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 index 5e49fc5..61d71d4 100644
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
@@ -38,6 +38,7 @@
 #include <ac/unistd.h>
 #include <ac/param.h>
 #include <ac/dirent.h>
 +#include <ac/regex.h>
 #include "ldap-int.h"
 #include "ldap-tls.h"
@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods;
 #define PEM_LIBRARY	"nsspem"
 #define PEM_MODULE	"PEM"
 -/* hash files for use with cacertdir have this file name suffix */
 -#define PEM_CA_HASH_FILE_SUFFIX	".0"
 -#define PEM_CA_HASH_FILE_SUFFIX_LEN 2
 +#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$"
 static SECMODModule *pem_module;
@@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
 		PRDir *dir;
 		PRDirEntry *entry;
 		PRStatus fistatus = PR_FAILURE;
 +		regex_t hashfile_re;
 		memset( &fi, 0, sizeof(fi) );
 		fistatus = PR_GetFileInfo( cacertdir, &fi );
@@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
 			goto done;
 		}
 +		if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) {
 +			Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 );
 +			goto done;
 +		}
 +
 		do {
 			entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
 			if ( ( NULL != entry ) && ( NULL != entry->name ) ) {
 				char *fullpath = NULL;
 -				char *ptr;
 +				int match;
 -				ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX );
 -				if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) {
 +				match = regexec( &hashfile_re, entry->name, 0, NULL, 0 );
 +				if ( match == REG_NOMATCH ) {
 					Debug( LDAP_DEBUG_TRACE,
 -						   "TLS: file %s does not end in [%s] - does not appear to be a CA certificate "
 -						   "directory file with a properly hashed file name - skipping.\n",
 -						   entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 );
 +						   "TLS: skipping '%s' - filename does not have expected format "
 +						   "(certificate hash with numeric suffix)\n", entry->name, 0, 0 );
 +					continue;
 +				} else if ( match != 0 ) {
 +					Debug( LDAP_DEBUG_ANY,
 +						   "TLS: cannot execute regex for CA hash file matching (%d).\n",
 +						   match, 0, 0 );
 					continue;
 				}
 +
 				fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
 				if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
 					Debug( LDAP_DEBUG_TRACE,
@@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
 				PR_smprintf_free( fullpath );
 			}
 		} while ( NULL != entry );
 +		regfree ( &hashfile_re );
 		PR_CloseDir( dir );
 	}
 done:
 -- 
 1.7.11.4
--- a/openldap-nss-update-list-of-ciphers.patch
+++ b/openldap-nss-update-list-of-ciphers.patch
@ -0,0 +1,193 @@
 MozNSS: update list of supported cipher suites
 The updated list includes all ciphers implemented in Mozilla NSS 3.13.15
 Author: Jan Vcelak <jvcelak@redhat.com>
 Upstream ITS: #7374
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 index 1422ce2..5e49fc5 100644
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
@@ -211,27 +211,34 @@ typedef struct {
 	int num;            /* The cipher id */
 	int attr;           /* cipher attributes: algorithms, etc */
 	int version;        /* protocol version valid for this cipher */
 -	int bits;           /* bits of strength */
 -	int alg_bits;       /* bits of the algorithm */
 	int strength;       /* LOW, MEDIUM, HIGH */
 	int enabled;        /* Enabled by default? */
 } cipher_properties;
 /* cipher attributes  */
 -#define SSL_kRSA  0x00000001L
 -#define SSL_aRSA  0x00000002L
 -#define SSL_aDSS  0x00000004L
 -#define SSL_DSS   SSL_aDSS
 -#define SSL_eNULL 0x00000008L
 -#define SSL_DES   0x00000010L
 -#define SSL_3DES  0x00000020L
 -#define SSL_RC4   0x00000040L
 -#define SSL_RC2   0x00000080L
 -#define SSL_AES   0x00000100L
 -#define SSL_MD5   0x00000200L
 -#define SSL_SHA1  0x00000400L
 -#define SSL_SHA   SSL_SHA1
 -#define SSL_RSA   (SSL_kRSA|SSL_aRSA)
 +#define SSL_kRSA        0x00000001L
 +#define SSL_aRSA        0x00000002L
 +#define SSL_RSA         (SSL_kRSA|SSL_aRSA)
 +#define SSL_aDSA        0x00000004L
 +#define SSL_DSA         SSL_aDSA
 +#define SSL_eNULL       0x00000008L
 +#define SSL_DES         0x00000010L
 +#define SSL_3DES        0x00000020L
 +#define SSL_RC4         0x00000040L
 +#define SSL_RC2         0x00000080L
 +#define SSL_AES128      0x00000100L
 +#define SSL_AES256      0x00000200L
 +#define SSL_AES         (SSL_AES128|SSL_AES256)
 +#define SSL_MD5         0x00000400L
 +#define SSL_SHA1        0x00000800L
 +#define SSL_kEDH        0x00001000L
 +#define SSL_CAMELLIA128 0x00002000L
 +#define SSL_CAMELLIA256 0x00004000L
 +#define SSL_CAMELLIA    (SSL_CAMELLIA128|SSL_CAMELLIA256)
 +#define SSL_SEED        0x00008000L
 +#define SSL_kECDH       0x00010000L
 +#define SSL_kECDHE      0x00020000L
 +#define SSL_aECDSA      0x00040000L
 /* cipher strength */
 #define SSL_NULL      0x00000001L
@@ -248,29 +255,70 @@ typedef struct {
 /* Cipher translation */
 static cipher_properties ciphers_def[] = {
 -	/* SSL 2 ciphers */
 -	{"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
 -	{"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
 -	{"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
 -	{"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
 -	{"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
 -	{"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
 -
 -	/* SSL3 ciphers */
 -	{"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
 -	{"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
 -	{"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
 -	{"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
 -	{"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
 -	{"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
 -	{"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
 -	{"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
 +
 +	/*
 +	 * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2
 +	 */
 +
 +	/* SSLv2 ciphers */
 +	{"DES-CBC-MD5",     SSL_EN_DES_64_CBC_WITH_MD5,           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5,  SSL2, SSL_LOW,      SSL_NOT_ALLOWED},
 +	{"DES-CBC3-MD5",    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,     SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH,     SSL_NOT_ALLOWED},
 +	{"RC2-CBC-MD5",     SSL_EN_RC2_128_CBC_WITH_MD5,          SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,  SSL2, SSL_MEDIUM,   SSL_NOT_ALLOWED},
 +	{"RC4-MD5",         SSL_EN_RC4_128_WITH_MD5,              SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,  SSL2, SSL_MEDIUM,   SSL_NOT_ALLOWED},
 +	{"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,  SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
 +	{"EXP-RC4-MD5",     SSL_EN_RC4_128_EXPORT40_WITH_MD5,     SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,  SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
 +
 +	/* SSLv3 ciphers */
 +	{"NULL-MD5",             SSL_RSA_WITH_NULL_MD5,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5,  SSL3, SSL_NULL,     SSL_NOT_ALLOWED},
 +	{"NULL-SHA",             SSL_RSA_WITH_NULL_SHA,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL,     SSL_NOT_ALLOWED},
 +	{"DES-CBC-SHA",          SSL_RSA_WITH_DES_CBC_SHA,           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW,      SSL_ALLOWED},
 +	{"DES-CBC3-SHA",         SSL_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH,     SSL_ALLOWED},
 +	{"RC4-MD5",              SSL_RSA_WITH_RC4_128_MD5,           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,    SSL3, SSL_MEDIUM,   SSL_ALLOWED},
 +	{"RC4-SHA",              SSL_RSA_WITH_RC4_128_SHA,           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1,   SSL3, SSL_MEDIUM,   SSL_ALLOWED},
 +	{"EXP-RC2-CBC-MD5",      SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,    SSL3, SSL_EXPORT40, SSL_ALLOWED},
 +	{"EXP-RC4-MD5",          SSL_RSA_EXPORT_WITH_RC4_40_MD5,     SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,    SSL3, SSL_EXPORT40, SSL_ALLOWED},
 +	{"EDH-RSA-DES-CBC-SHA",  SSL_DHE_RSA_WITH_DES_CBC_SHA,       SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW,      SSL_ALLOWED},
 +	{"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,  SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH,     SSL_ALLOWED},
 +	{"EDH-DSS-DES-CBC-SHA",  SSL_DHE_DSS_WITH_DES_CBC_SHA,       SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW,      SSL_ALLOWED},
 +	{"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,  SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH,     SSL_ALLOWED},
 	/* TLSv1 ciphers */
 -	{"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
 -	{"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
 -	{"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
 -	{"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
 +	{"EXP1024-DES-CBC-SHA",      TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,   SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1,         TLS1, SSL_EXPORT56, SSL_ALLOWED},
 +	{"EXP1024-RC4-SHA",          TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1,         TLS1, SSL_EXPORT56, SSL_ALLOWED},
 +	{"SEED-SHA",                 TLS_RSA_WITH_SEED_CBC_SHA,             SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1,        TLS1, SSL_MEDIUM,   SSL_ALLOWED},
 +	{"AES128-SHA",               TLS_RSA_WITH_AES_128_CBC_SHA,          SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"AES256-SHA",               TLS_RSA_WITH_AES_256_CBC_SHA,          SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"CAMELLIA256-SHA",          TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,     SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"CAMELLIA128-SHA",          TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,     SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"DHE-RSA-AES128-SHA",       TLS_DHE_RSA_WITH_AES_128_CBC_SHA,      SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"DHE-RSA-AES256-SHA",       TLS_DHE_RSA_WITH_AES_256_CBC_SHA,      SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"DHE-RSA-CAMELLIA128-SHA",  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"DHE-RSA-CAMELLIA256-SHA",  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"DHE-DSS-RC4-SHA",          TLS_DHE_DSS_WITH_RC4_128_SHA,          SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1,         TLS1, SSL_MEDIUM,   SSL_ALLOWED},
 +	{"DHE-DSS-AES128-SHA",       TLS_DHE_DSS_WITH_AES_128_CBC_SHA,      SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"DHE-DSS-AES256-SHA",       TLS_DHE_DSS_WITH_AES_256_CBC_SHA,      SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"DHE-DSS-CAMELLIA128-SHA",  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"DHE-DSS-CAMELLIA256-SHA",  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"ECDH-RSA-NULL-SHA",        TLS_ECDH_RSA_WITH_NULL_SHA,            SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1,      TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
 +	{"ECDH-RSA-RC4-SHA",         TLS_ECDH_RSA_WITH_RC4_128_SHA,         SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1,        TLS1, SSL_MEDIUM,   SSL_ALLOWED},
 +	{"ECDH-RSA-DES-CBC3-SHA",    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1,       TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"ECDH-RSA-AES128-SHA",      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,     SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1,     TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"ECDH-RSA-AES256-SHA",      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,     SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1,     TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"ECDH-ECDSA-NULL-SHA",      TLS_ECDH_ECDSA_WITH_NULL_SHA,          SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1,    TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
 +	{"ECDH-ECDSA-RC4-SHA",       TLS_ECDH_ECDSA_WITH_RC4_128_SHA,       SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1,      TLS1, SSL_MEDIUM,   SSL_ALLOWED},
 +	{"ECDH-ECDSA-DES-CBC3-SHA",  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1,     TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"ECDH-ECDSA-AES128-SHA",    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,   SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1,   TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"ECDH-ECDSA-AES256-SHA",    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,   SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1,   TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"ECDHE-RSA-NULL-SHA",       TLS_ECDHE_RSA_WITH_NULL_SHA,           SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1,     TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
 +	{"ECDHE-RSA-RC4-SHA",        TLS_ECDHE_RSA_WITH_RC4_128_SHA,        SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1,       TLS1, SSL_MEDIUM,   SSL_ALLOWED},
 +	{"ECDHE-RSA-DES-CBC3-SHA",   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,   SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"ECDHE-RSA-AES128-SHA",     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,    SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"ECDHE-RSA-AES256-SHA",     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,    SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"ECDHE-ECDSA-NULL-SHA",     TLS_ECDHE_ECDSA_WITH_NULL_SHA,         SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1,   TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
 +	{"ECDHE-ECDSA-RC4-SHA",      TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1,     TLS1, SSL_MEDIUM,   SSL_ALLOWED},
 +	{"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"ECDHE-ECDSA-AES128-SHA",   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,  SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1,  TLS1, SSL_HIGH,     SSL_ALLOWED},
 +	{"ECDHE-ECDSA-AES256-SHA",   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,  SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1,  TLS1, SSL_HIGH,     SSL_ALLOWED},
 };
 #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
@@ -577,6 +625,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
 					mask |= SSL_RSA;
 				} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
 					mask |= SSL_eNULL;
 +				} else if (!strcmp(cipher, "AES128")) {
 +					mask |= SSL_AES128;
 +				} else if (!strcmp(cipher, "AES256")) {
 +					mask |= SSL_AES256;
 				} else if (!strcmp(cipher, "AES")) {
 					mask |= SSL_AES;
 				} else if (!strcmp(cipher, "3DES")) {
@@ -591,6 +643,24 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
 					mask |= SSL_MD5;
 				} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
 					mask |= SSL_SHA1;
 +				} else if (!strcmp(cipher, "EDH")) {
 +					mask |= SSL_kEDH;
 +				} else if (!strcmp(cipher, "DSS")) {
 +					mask |= SSL_aDSA;
 +				} else if (!strcmp(cipher, "CAMELLIA128")) {
 +					mask |= SSL_CAMELLIA128;
 +				} else if (!strcmp(cipher, "CAMELLIA256")) {
 +					mask |= SSL_CAMELLIA256;
 +				} else if (!strcmp(cipher, "CAMELLIA")) {
 +					mask |= SSL_CAMELLIA;
 +				} else if (!strcmp(cipher, "SEED")) {
 +					mask |= SSL_SEED;
 +				} else if (!strcmp(cipher, "ECDH")) {
 +					mask |= SSL_kECDH;
 +				} else if (!strcmp(cipher, "ECDHE")) {
 +					mask |= SSL_kECDHE;
 +				} else if (!strcmp(cipher, "ECDSA")) {
 +					mask |= SSL_aECDSA;
 				} else if (!strcmp(cipher, "SSLv2")) {
 					protocol |= SSL2;
 				} else if (!strcmp(cipher, "SSLv3")) {
 -- 
 1.7.11.4
--- a/openldap-support-tlsv1-and-later.patch
+++ b/openldap-support-tlsv1-and-later.patch
@ -5,19 +5,18 @@ Backported-by: Jan Synacek <jsynacek@redhat.com>
 Upstream ITS: #7979
 Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
--- openldap-2.4.40/include/ldap.h	2014-09-19 03:48:49.000000000 +0200
+--- openldap-2.4.40/libraries/libldap/tls_m.c	2014-11-14 09:02:39.489493061 +0100
-+++ openldap-2.4.40/include/ldap.h	2015-01-27 14:52:42.741364186 +0100
+++ openldap-2.4.40/libraries/libldap/tls_m.c	2014-11-14 09:23:07.239463097 +0100
-@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
+@@ -790,7 +790,7 @@ tlsm_bad_cert_handler(void *arg, PRFileD
- #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0		((3 << 8) + 1)
+ 	case SSL_ERROR_BAD_CERT_DOMAIN:
- #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1		((3 << 8) + 2)
+ 		break;
- #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2		((3 << 8) + 3)
+ 	default:
-+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3		((3 << 8) + 4)
+-		success = SECFailure;
 + 		success = SECFailure;
 		break;
 	}
- /* OpenLDAP SASL options */
+@@ -1729,6 +1729,8 @@ tlsm_deferred_init( void *arg )
 #define LDAP_OPT_X_SASL_MECH			0x6100
 --- openldap-2.4.40/libraries/libldap/tls_m.c	2014-09-19 03:48:49.000000000 +0200
 +++ openldap-2.4.40/libraries/libldap/tls_m.c	2015-01-27 14:57:25.702243542 +0100
@@ -1639,6 +1639,8 @@ tlsm_deferred_init( void *arg )
 	NSSInitContext *initctx = NULL;
 	PK11SlotInfo *certdb_slot = NULL;
 #endif
@ -26,8 +25,8 @@ Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
 	SECStatus rc;
 	int done = 0;
-@@ -1823,7 +1825,17 @@ tlsm_deferred_init( void *arg )
+@@ -1911,6 +1913,16 @@ tlsm_deferred_init( void *arg )
- 			ctx->tc_using_pem = PR_TRUE;
+ 			}
 		}
 +		/*
@ -43,4 +42,13 @@ Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
 		NSS_SetDomesticPolicy();
 		PK11_SetPasswordFunc( tlsm_pin_prompt );
 --- openldap-2.4.40/include/ldap.h	2014-09-19 03:48:49.000000000 +0200
 +++ openldap-2.4.40/include/ldap.h	2014-11-14 09:25:54.560801030 +0100
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
 #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0		((3 << 8) + 1)
 #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1		((3 << 8) + 2)
 #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2		((3 << 8) + 3)
 +#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3		((3 << 8) + 4)
 /* OpenLDAP SASL options */
 #define LDAP_OPT_X_SASL_MECH			0x6100
--- a/openldap.spec
+++ b/openldap.spec
@ -5,7 +5,7 @@
 Name: openldap
 Version: 2.4.40
-Release: 9%{?dist}
+Release: 10%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@ -26,6 +26,13 @@ Patch2: openldap-reentrant-gethostby.patch
 Patch3: openldap-smbk5pwd-overlay.patch
 Patch4: openldap-man-sasl-nocanon.patch
 Patch5: openldap-ai-addrconfig.patch
 # nss patches, unlikely to ever get upstreamed
 Patch11: openldap-nss-update-list-of-ciphers.patch
 Patch12: openldap-tls-no-reuse-of-tls_session.patch
 Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch
 Patch14: openldap-nss-ignore-certdb-type-prefix.patch
 Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch
 Patch16: openldap-nss-pk11-freeslot.patch
 # fix back_perl problems with lt_dlopen()
 # might cause crashes because of symbol collisions
@ -43,13 +50,16 @@ Patch22: openldap-require-non-empty-attributelist.patch
 Patch90: check-password-makefile.patch
 Patch91: check-password.patch
 # Fedora specific patches
 Patch100: openldap-autoconf-pkgconfig-nss.patch
 # GCC 5 cpp patch, pending upstream inclusion (ITS #8056)
-Patch100: openldap-gcc-5.patch
+Patch101: openldap-gcc-5.patch
-BuildRequires: cyrus-sasl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
+BuildRequires: cyrus-sasl-devel, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
 BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed)
 # smbk5pwd overlay:
 BuildRequires: openssl-devel
 Requires: nss-tools
 %description
 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
@ -115,8 +125,14 @@ programs needed for accessing and modifying OpenLDAP directories.
 pushd openldap-%{version}
 # use pkg-config for Mozilla NSS library
 %patch100 -p1
 %patch101 -p1
 # alternative include paths for Mozilla NSS
 ln -s %{_includedir}/nss3 include/nss
 ln -s %{_includedir}/nspr4 include/nspr
 AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch0 -p1
@ -125,6 +141,12 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
 %patch19 -p1
 %patch20 -p1
 %patch21 -p1
@ -194,6 +216,7 @@ pushd openldap-%{version}
 	--without-fetch \
 	--with-threads \
 	--with-pic \
 	--with-tls=moznss \
 	--with-gnu-ld \
 	\
 	--libexecdir=%{_libdir}
@ -514,6 +537,9 @@ exit 0
 %{_mandir}/man3/*
 %changelog
 * Fri Feb 20 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-10
 - link against moznss again (#1187742)
 * Wed Feb 11 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
 - fix: Unknown Berkeley DB major version in db.h (#1191098)
--- a/slapd.ldif
+++ b/slapd.ldif
@ -9,9 +9,9 @@ cn: config
 #
 # TLS settings
 #
-#olcTLSCACertificatePath: /etc/openldap/certs/cacert.pem
+olcTLSCACertificatePath: /etc/openldap/certs
-#olcTLSCertificateFile: /etc/openldap/certs/servercert.pem
+olcTLSCertificateFile: "OpenLDAP Server"
-#olcTLSCertificateKeyFile: /etc/openldap/certs/serverkey.pem
+olcTLSCertificateKeyFile: /etc/openldap/certs/password
 #
 # Do not enable referrals until AFTER you have a working directory