diff --git a/CHANGES b/CHANGES
index eb2b458934fb802916df3e215e916ad9ce70394d..b7a55b435966e079843130b3a76b25180637db9f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,9 +2,9 @@ OpenLDAP 2.4 Change Log
OpenLDAP 2.4.24 Engineering
Added LDIF line wrapping setting (ITS#6645)
+ Added MozNSS support (ITS#6714,ITS#6742,ITS#6790,ITS#6791)
+ Added MozNSS support (ITS#6802,ITS#6811,ITS#6816,ITS#5696)
Added libldap concurrency support (ITS#6625,ITS#5421)
- Added libldap MozNSS non-blocking support (ITS#6714)
- Added libldap MozNSS cert centralization (ITS#6742)
Added libldap cert x500UniqueIdentifier handling (ITS#6741)
Added slapadd attribute value checking (ITS#6592)
Added slapcat continue mode for problematic DBs (ITS#6482)
@@ -39,9 +39,6 @@ OpenLDAP 2.4.24 Engineering
Fixed libldap ldap_open_internal_connection (ITS#6788)
Fixed libldap sync checking for BER errors (ITS#6738)
Fixed libldap variable usage (ITS#6813)
- Fixed libldap MozNSS default cipher suites (ITS#6790)
- Fixed libldap MozNSS cert usage types/values (ITS#6791)
- Fixed libldap MozNSS restart module after fork() (ITS#6802,ITS#6811)
Fixed liblutil getpass prompts (ITS#6702)
Fixed ldapsearch segfault with deref (ITS#6638)
Fixed ldapsearch multiple controls parsing (ITS#6651)
diff --git a/doc/guide/admin/appendix-recommended-versions.sdf b/doc/guide/admin/appendix-recommended-versions.sdf
index 4fd651eb69954ce8b74cbf15df45d1f9217dcfc0..dfee0e4a2165688b9bedc356749cb14f65644387 100644
--- a/doc/guide/admin/appendix-recommended-versions.sdf
+++ b/doc/guide/admin/appendix-recommended-versions.sdf
@@ -17,6 +17,7 @@ Feature|Software|Version
{{TERM[expand]TLS}}:
|{{PRD:OpenSSL}}|0.9.7+
|{{PRD:GnuTLS}}|2.0.1
+|{{PRD:MozNSS}}|3.12.9
{{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.21+
{{TERM[expand]Kerberos}}:
|{{PRD:Heimdal}}|Version
diff --git a/doc/guide/admin/aspell.en.pws b/doc/guide/admin/aspell.en.pws
index f7f85ff0168ebbc6cf01be1235750dad703197eb..3683f98cbdb10fab5d790c725b2bc9539b1545a2 100644
--- a/doc/guide/admin/aspell.en.pws
+++ b/doc/guide/admin/aspell.en.pws
@@ -1361,8 +1361,10 @@ AuthcId
MChAODQ
lookups
GnuTLS
-GNUtls
gnutls
+MozNSS
+MOZNSS
+moznss
LTONLY
SNMP
timelimit
diff --git a/doc/guide/admin/install.sdf b/doc/guide/admin/install.sdf
index c41dab6c6c5b63cb3a421e4162d55a9836d60787..b398dc3b79c5a49ef5a86274770182d938032b4d 100644
--- a/doc/guide/admin/install.sdf
+++ b/doc/guide/admin/install.sdf
@@ -63,15 +63,16 @@ installation instructions provided with it.
H3: {{TERM[expand]TLS}}
-OpenLDAP clients and servers require installation of either {{PRD:OpenSSL}}
-or {{PRD:GnuTLS}}
+OpenLDAP clients and servers require installation of {{PRD:OpenSSL}},
+ {{PRD:GnuTLS}}, or {{PRD:MozNSS}}
{{TERM:TLS}} libraries to provide {{TERM[expand]TLS}} services. Though
some operating systems may provide these libraries as part of the
-base system or as an optional software component, OpenSSL and GnuTLS often
-require separate installation.
+base system or as an optional software component, OpenSSL, GnuTLS, and
+Mozilla NSS often require separate installation.
OpenSSL is available from {{URL: http://www.openssl.org/}}.
GnuTLS is available from {{URL: http://www.gnu.org/software/gnutls/}}.
+Mozilla NSS is available from {{URL: http://developer.mozilla.org/en/NSS}}.
OpenLDAP Software will not be fully LDAPv3 compliant unless OpenLDAP's
{{EX:configure}} detects a usable TLS library.
diff --git a/doc/guide/admin/intro.sdf b/doc/guide/admin/intro.sdf
index 591f48162a7586ce7f1a83b3a2921055d75ec429..5655032a8aaa72cadcc18401a56d48f85c59cab4 100644
--- a/doc/guide/admin/intro.sdf
+++ b/doc/guide/admin/intro.sdf
@@ -384,7 +384,8 @@ SASL}} software which supports a number of mechanisms including
{{B:{{TERM[expand]TLS}}}}: {{slapd}} supports certificate-based
authentication and data security (integrity and confidentiality)
services through the use of TLS (or SSL). {{slapd}}'s TLS
-implementation can utilize either {{PRD:OpenSSL}} or {{PRD:GnuTLS}} software.
+implementation can utilize {{PRD:OpenSSL}}, {{PRD:GnuTLS}},
+or {{PRD:MozNSS}} software.
{{B:Topology control}}: {{slapd}} can be configured to restrict
access at the socket layer based upon network topology information.
diff --git a/doc/guide/admin/tls.sdf b/doc/guide/admin/tls.sdf
index 696d824506a388d24df67fe27b1038315f463868..d804bbb8d92d5eb2757e319757d8b209297ecb9b 100644
--- a/doc/guide/admin/tls.sdf
+++ b/doc/guide/admin/tls.sdf
@@ -19,7 +19,8 @@ identities. All servers are required to have valid certificates,
whereas client certificates are optional. Clients must have a
valid certificate in order to authenticate via SASL EXTERNAL.
For more information on creating and managing certificates,
-see the {{PRD:OpenSSL}} documentation.
+see the {{PRD:OpenSSL}}, {{PRD:GnuTLS}}, or {{PRD:MozNSS}} documentation,
+depending on which TLS implementation libraries you are using.
H3: Server Certificates
@@ -89,12 +90,37 @@ this option can only be used with a filesystem that actually supports
symbolic links. In general, it is simpler to use the
{{EX:TLSCACertificateFile}} directive instead.
+When using Mozilla NSS, this directive can be used to specify the
+path of the directory containing the NSS certificate and key database
+files. The {{certutil}} command can be used to add a {{TERM:CA}} certificate:
+
+> certutil -d <path> -A -n "name of CA cert" -t CT,, -a -i /path/to/cacertfile.pem
+
+. This command will add a CA certficate stored in the PEM (ASCII) formatted
+. file named /path/to/cacertfile.pem. {{EX:-t CT,,}} means that the certificate is
+. trusted to be a CA issuing certs for use in TLS clients and servers.
+
H4: TLSCertificateFile <filename>
This directive specifies the file that contains the slapd server
certificate. Certificates are generally public information and
require no special protection.
+When using Mozilla NSS, if using a cert/key database (specified with
+{{EX:TLSCACertificatePath}}), this directive specifies
+the name of the certificate to use:
+
+> TLSCertificateFile Server-Cert
+
+. If using a token other than the internal built in token, specify the
+. token name first, followed by a colon:
+
+> TLSCertificateFile my hardware device:Server-Cert
+
+. Use {{EX:certutil -L}} to list the certificates by name:
+
+> certutil -d /path/to/certdbdir -L
+
H4: TLSCertificateKeyFile <filename>
This directive specifies the file that contains the private key
@@ -104,6 +130,18 @@ password encrypted for protection. However, the current implementation
doesn't support encrypted keys so the key must not be encrypted
and the file itself must be protected carefully.
+When using Mozilla NSS, this directive specifies the name of
+a file that contains the password for the key for the certificate specified with
+{{EX:TLSCertificateFile}}. The modutil command can be used to turn off password
+protection for the cert/key database. For example, if {{EX:TLSCACertificatePath}}
+specifes /etc/openldap/certdb as the location of the cert/key database, use
+modutil to change the password to the empty string:
+
+> modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
+
+. You must have the old password, if any. Ignore the WARNING about the running
+. browser. Press 'Enter' for the new password.
+
H4: TLSCipherSuite <cipher-suite-spec>
This directive configures what ciphers will be accepted and the
@@ -114,15 +152,22 @@ specification for OpenSSL. You can use the command
to obtain a verbose list of available cipher specifications.
-To obtain the list of ciphers in GNUtls use:
-
-> gnutls-cli -l
-
Besides the individual cipher names, the specifiers {{EX:HIGH}},
{{EX:MEDIUM}}, {{EX:LOW}}, {{EX:EXPORT}}, and {{EX:EXPORT40}}
may be helpful, along with {{EX:TLSv1}}, {{EX:SSLv3}},
and {{EX:SSLv2}}.
+To obtain the list of ciphers in GnuTLS use:
+
+> gnutls-cli -l
+
+When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
+translated into the format used internally by Mozilla NSS. There isn't an easy
+way to list the cipher suites from the command line. The authoritative list
+is in the source code for Mozilla NSS in the file sslinfo.c in the structure
+
+> static const SSLCipherSuiteInfo suiteInfo[]
+
H4: TLSRandFile <filename>
This directive specifies the file to obtain random bits from when
@@ -141,6 +186,8 @@ copy a few hundred bytes of arbitrary data into the file. The file
is only used to provide a seed for the pseudo-random number generator,
and it doesn't need very much data to work.
+This directive is ignored with GnuTLS and Mozilla NSS.
+
H4: TLSEphemeralDHParamFile <filename>
This directive specifies the file that contains parameters for
@@ -152,6 +199,8 @@ processed. Parameters can be generated using the following command
> openssl dhparam [-dsaparam] -out <filename> <numbits>
+This directive is ignored with GnuTLS and Mozilla NSS.
+
H4: TLSVerifyClient { never | allow | try | demand }
This directive specifies what checks to perform on client certificates
@@ -210,7 +259,7 @@ H4: TLS_CACERTDIR <path>
This is equivalent to the server's {{EX:TLSCACertificatePath}} option. The
specified directory must be managed with the OpenSSL {{c_rehash}}
-utility as well.
+utility as well. If using Mozilla NSS, <path> may contain a cert/key database.
H4: TLS_CERT <filename>
@@ -218,6 +267,22 @@ This directive specifies the file that contains the client certificate.
This is a user-only directive and can only be specified in a user's
{{.ldaprc}} file.
+When using Mozilla NSS, if using a cert/key database (specified with
+{{EX:TLS_CACERTDIR}}), this directive specifies
+the name of the certificate to use:
+
+> TLS_CERT Certificate for Sam Carter
+
+. If using a token other than the internal built in token, specify the
+. token name first, followed by a colon:
+
+> TLS_CERT my hardware device:Certificate for Sam Carter
+
+. Use {{EX:certutil -L}} to list the certificates by name:
+
+> certutil -d /path/to/certdbdir -L
+
+
H4: TLS_KEY <filename>
This directive specifies the file that contains the private key
diff --git a/doc/guide/preamble.sdf b/doc/guide/preamble.sdf
index 966542cada3dec2fa98b2cd68cc3c20709771711..fad19642592d671414cf4d18a90eaa795fc1ed4c 100644
--- a/doc/guide/preamble.sdf
+++ b/doc/guide/preamble.sdf
@@ -136,6 +136,7 @@ GnuTLS|http://www.gnu.org/software/gnutls/
Heimdal|http://www.pdc.kth.se/heimdal/
JLDAP|http://www.openldap.org/jldap/
MIT Kerberos|http://web.mit.edu/kerberos/www/
+MozNSS|http://developer.mozilla.org/en/NSS
OpenLDAP|http://www.openldap.org/
OpenLDAP FAQ|http://www.openldap.org/faq/
OpenLDAP ITS|http://www.openldap.org/its/
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
index cdf7d91c68eb05ea1a6585f0b64bcb24a8c9e385..ecb5edecb8cb9da9bc814ed9bb1ec5dee5af1666 100644
--- a/doc/man/man3/ldap_get_option.3
+++ b/doc/man/man3/ldap_get_option.3
@@ -686,7 +686,7 @@ must be
.BR "char **" ,
and its contents need to be freed by the caller using
.BR ldap_memfree (3).
-Ignored by GnuTLS.
+Ignored by GnuTLS and Mozilla NSS.
.TP
.B LDAP_OPT_X_TLS_KEYFILE
Sets/gets the full-path of the certificate key file.
@@ -731,7 +731,7 @@ must be
.BR "char **" ,
and its contents need to be freed by the caller using
.BR ldap_memfree (3).
-Ignored by GnuTLS older than version 2.2.
+Ignored by GnuTLS older than version 2.2. Ignored by Mozilla NSS.
.TP
.B LDAP_OPT_X_TLS_REQUIRE_CERT
Sets/gets the peer certificate checking strategy,
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index 6a8c949a1cd8ea07cbeade0a2a7807f19099f922..ff071b360f9b612e35786c888561a40f3b28646c 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -317,11 +317,31 @@ certificates in separate individual files. The
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
-This parameter is ignored with GNUtls.
+This parameter is ignored with GnuTLS.
+
+When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
+database. If <path> contains a Mozilla NSS cert/key database and
+CA cert files, OpenLDAP will use the cert/key database and will
+ignore the CA cert files.
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
.B This is a user-only option.
+
+When using Mozilla NSS, if using a cert/key database (specified with
+TLS_CACERTDIR), TLS_CERT specifies the name of the certificate to use:
+.nf
+ TLS_CERT Certificate for Sam Carter
+.fi
+If using a token other than the internal built in token, specify the
+token name first, followed by a colon:
+.nf
+ TLS_CERT my hardware device:Certificate for Sam Carter
+.fi
+Use certutil -L to list the certificates by name:
+.nf
+ certutil -d /path/to/certdbdir -L
+.fi
.TP
.B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate
@@ -330,29 +350,68 @@ stored in the
file. Currently, the private key must not be protected with a password, so
it is of critical importance that the key file is protected carefully.
.B This is a user-only option.
+
+When using Mozilla NSS, TLS_KEY specifies the name of a file that contains
+the password for the key for the certificate specified with TLS_CERT. The
+modutil command can be used to turn off password protection for the cert/key
+database. For example, if TLS_CACERTDIR specifes /home/scarter/.moznss as
+the location of the cert/key database, use modutil to change the password
+to the empty string:
+.nf
+ modutil -dbdir ~/.moznss -changepw 'NSS Certificate DB'
+.fi
+You must have the old password, if any. Ignore the WARNING about the running
+browser. Press 'Enter' for the new password.
+
.TP
.B TLS_CIPHER_SUITE <cipher-suite-spec>
Specifies acceptable cipher suite and preference order.
-<cipher-suite-spec> should be a cipher specification for OpenSSL,
-e.g., HIGH:MEDIUM:+SSLv2.
+<cipher-suite-spec> should be a cipher specification for
+the TLS library in use (OpenSSL, GnuTLS, or Mozilla NSS).
+Example:
+.RS
+.RS
+.TP
+.I OpenSSL:
+TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2
+.TP
+.I GnuTLS:
+TLS_CIPHER_SUITE SECURE256:!AES-128-CBC
+.RE
-To check what ciphers a given spec selects, use:
+To check what ciphers a given spec selects in OpenSSL, use:
.nf
openssl ciphers \-v <cipher-suite-spec>
.fi
-To obtain the list of ciphers in GNUtls use:
+With GnuTLS the available specs can be found in the manual page of
+.BR gnutls\-cli (1)
+(see the description of the
+option
+.BR \-\-priority ).
+
+In older versions of GnuTLS, where gnutls\-cli does not support the option
+\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
.nf
- gnutls-cli \-l
+ gnutls\-cli \-l
.fi
+
+When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
+translated into the format used internally by Mozilla NSS. There isn't an easy
+way to list the cipher suites from the command line. The authoritative list
+is in the source code for Mozilla NSS in the file sslinfo.c in the structure
+.nf
+ static const SSLCipherSuiteInfo suiteInfo[]
+.fi
+.RE
.TP
.B TLS_RANDFILE <filename>
Specifies the file to obtain random bits from when /dev/[u]random is
not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
-This parameter is ignored with GNUtls.
+This parameter is ignored with GnuTLS and Mozilla NSS.
.TP
.B TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS session,
@@ -385,7 +444,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the server certificates have not been revoked. This
requires
.B TLS_CACERTDIR
-parameter to be set. This parameter is ignored with GNUtls.
+parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS.
.B <level>
can be specified as one of the following keywords:
.RS
@@ -403,7 +462,7 @@ Check the CRL for a whole certificate chain
.B TLS_CRLFILE <filename>
Specifies the file containing a Certificate Revocation List to be used
to verify if the server certificates have not been revoked. This
-parameter is only supported with GNUtls.
+parameter is only supported with GnuTLS and Mozilla NSS.
.SH "ENVIRONMENT VARIABLES"
.TP
LDAPNOINIT
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 23ff1e9a072081e961d6f950432b82a9de27d3e1..80e0bce7ac025bd9de2947f2028f2dcb8f76871f 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -803,7 +803,8 @@ you can specify.
.TP
.B olcTLSCipherSuite: <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
-<cipher-suite-spec> should be a cipher specification for OpenSSL resp. GNUtls.
+<cipher-suite-spec> should be a cipher specification for
+the TLS library in use (OpenSSL, GnuTLS, or Mozilla NSS).
Example:
.RS
.RS
@@ -811,7 +812,7 @@ Example:
.I OpenSSL:
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
.TP
-.I GNUtls:
+.I GnuTLS:
TLSCiphersuite SECURE256:!AES-128-CBC
.RE
@@ -821,18 +822,26 @@ To check what ciphers a given spec selects in OpenSSL, use:
openssl ciphers \-v <cipher-suite-spec>
.fi
-With GNUtls the available specs can be found in the manual page of
+With GnuTLS the available specs can be found in the manual page of
.BR gnutls\-cli (1)
(see the description of the
option
.BR \-\-priority ).
-In older versions of GNUtls, where gnutls\-cli does not support the option
+In older versions of GnuTLS, where gnutls\-cli does not support the option
\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
.nf
gnutls\-cli \-l
.fi
+
+When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
+translated into the format used internally by Mozilla NSS. There isn't an easy
+way to list the cipher suites from the command line. The authoritative list
+is in the source code for Mozilla NSS in the file sslinfo.c in the structure
+.nf
+ static const SSLCipherSuiteInfo suiteInfo[]
+.fi
.RE
.TP
.B olcTLSCACertificateFile: <filename>
@@ -846,12 +855,33 @@ Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
or the olcTLSCACertificateFile is defined. If both are specified, both
locations will be used. This directive is not supported
-when using GNUtls.
+when using GnuTLS.
+
+When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
+database. If <path> contains a Mozilla NSS cert/key database and
+CA cert files, OpenLDAP will use the cert/key database and will
+ignore the CA cert files.
.TP
.B olcTLSCertificateFile: <filename>
Specifies the file that contains the
.B slapd
server certificate.
+
+When using Mozilla NSS, if using a cert/key database (specified with
+olcTLSCACertificatePath), olcTLSCertificateFile specifies
+the name of the certificate to use:
+.nf
+ olcTLSCertificateFile: Server-Cert
+.fi
+If using a token other than the internal built in token, specify the
+token name first, followed by a colon:
+.nf
+ olcTLSCertificateFile: my hardware device:Server-Cert
+.fi
+Use certutil -L to list the certificates by name:
+.nf
+ certutil -d /path/to/certdbdir -L
+.fi
.TP
.B olcTLSCertificateKeyFile: <filename>
Specifies the file that contains the
@@ -863,6 +893,19 @@ be manually typed in when slapd starts. Usually the private key is not
protected with a password, to allow slapd to start without manual
intervention, so
it is of critical importance that the file is protected carefully.
+
+When using Mozilla NSS, olcTLSCertificateKeyFile specifies the name of
+a file that contains the password for the key for the certificate specified with
+olcTLSCertificateFile. The modutil command can be used to turn off password
+protection for the cert/key database. For example, if olcTLSCACertificatePath
+specifes /etc/openldap/certdb as the location of the cert/key database, use
+modutil to change the password to the empty string:
+.nf
+ modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
+.fi
+You must have the old password, if any. Ignore the WARNING about the running
+browser. Press 'Enter' for the new password.
+
.TP
.B olcTLSDHParamFile: <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
@@ -872,14 +915,14 @@ them will be processed. Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
-be done. When using GNUtls these parameters are always generated randomly
+be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
.B olcTLSRandFile: <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
-This directive is ignored with GNUtls.
+This directive is ignored with GnuTLS and Mozilla NSS.
.TP
.B olcTLSVerifyClient: <level>
Specifies what checks to perform on client certificates in an
@@ -921,7 +964,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the client certificates have not been revoked. This
requires
.B olcTLSCACertificatePath
-parameter to be set. This parameter is ignored with GNUtls.
+parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS.
.B <level>
can be specified as one of the following keywords:
.RS
@@ -939,7 +982,7 @@ Check the CRL for a whole certificate chain
.B olcTLSCRLFile: <filename>
Specifies a file containing a Certificate Revocation List to be used
for verifying that certificates have not been revoked. This parameter
-is only valid when using GNUtls.
+is only valid when using GnuTLS or Mozilla NSS.
.SH DYNAMIC MODULE OPTIONS
If
.B slapd
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index e026815f3c81ad8f0d3e43cdd87dbca6e8f07fa4..b28a2ebc5020d6afd3a2f3af6b164d23f247071a 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1034,7 +1034,8 @@ you can specify.
.TP
.B TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
-<cipher-suite-spec> should be a cipher specification for OpenSSL resp. GNUtls.
+<cipher-suite-spec> should be a cipher specification for the TLS library
+in use (OpenSSL, GnuTLS, or Mozilla NSS).
Example:
.RS
.RS
@@ -1042,7 +1043,7 @@ Example:
.I OpenSSL:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
.TP
-.I GNUtls:
+.I GnuTLS:
TLSCiphersuite SECURE256:!AES-128-CBC
.RE
@@ -1052,18 +1053,26 @@ To check what ciphers a given spec selects in OpenSSL, use:
openssl ciphers \-v <cipher-suite-spec>
.fi
-With GNUtls the available specs can be found in the manual page of
+With GnuTLS the available specs can be found in the manual page of
.BR gnutls\-cli (1)
(see the description of the
option
.BR \-\-priority ).
-In older versions of GNUtls, where gnutls\-cli does not support the option
+In older versions of GnuTLS, where gnutls\-cli does not support the option
\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
.nf
gnutls\-cli \-l
.fi
+
+When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
+translated into the format used internally by Mozilla NSS. There isn't an easy
+way to list the cipher suites from the command line. The authoritative list
+is in the source code for Mozilla NSS in the file sslinfo.c in the structure
+.nf
+ static const SSLCipherSuiteInfo suiteInfo[]
+.fi
.RE
.TP
.B TLSCACertificateFile <filename>
@@ -1076,12 +1085,33 @@ will recognize.
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
or the TLSCACertificateFile is used. This directive is not supported
-when using GNUtls.
+when using GnuTLS.
+
+When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
+database. If <path> contains a Mozilla NSS cert/key database and
+CA cert files, OpenLDAP will use the cert/key database and will
+ignore the CA cert files.
.TP
.B TLSCertificateFile <filename>
Specifies the file that contains the
.B slapd
server certificate.
+
+When using Mozilla NSS, if using a cert/key database (specified with
+TLSCACertificatePath), TLSCertificateFile specifies
+the name of the certificate to use:
+.nf
+ TLSCertificateFile Server-Cert
+.fi
+If using a token other than the internal built in token, specify the
+token name first, followed by a colon:
+.nf
+ TLSCertificateFile my hardware device:Server-Cert
+.fi
+Use certutil -L to list the certificates by name:
+.nf
+ certutil -d /path/to/certdbdir -L
+.fi
.TP
.B TLSCertificateKeyFile <filename>
Specifies the file that contains the
@@ -1090,6 +1120,18 @@ server private key that matches the certificate stored in the
.B TLSCertificateFile
file. Currently, the private key must not be protected with a password, so
it is of critical importance that it is protected carefully.
+
+When using Mozilla NSS, TLSCertificateKeyFile specifies the name of
+a file that contains the password for the key for the certificate specified with
+TLSCertificateFile. The modutil command can be used to turn off password
+protection for the cert/key database. For example, if TLSCACertificatePath
+specifes /etc/openldap/certdb as the location of the cert/key database, use
+modutil to change the password to the empty string:
+.nf
+ modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
+.fi
+You must have the old password, if any. Ignore the WARNING about the running
+browser. Press 'Enter' for the new password.
.TP
.B TLSDHParamFile <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
@@ -1099,14 +1141,14 @@ them will be processed. Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
-be done. When using GNUtls these parameters are always generated randomly so
-this directive is ignored.
+be done. When using GnuTLS these parameters are always generated randomly so
+this directive is ignored. This directive is ignored when using Mozilla NSS.
.TP
.B TLSRandFile <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
-This directive is ignored with GNUtls.
+This directive is ignored with GnuTLS and Mozilla NSS.
.TP
.B TLSVerifyClient <level>
Specifies what checks to perform on client certificates in an
@@ -1148,7 +1190,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the client certificates have not been revoked. This
requires
.B TLSCACertificatePath
-parameter to be set. This directive is ignored with GNUtls.
+parameter to be set. This directive is ignored with GnuTLS and Mozilla NSS.
.B <level>
can be specified as one of the following keywords:
.RS
@@ -1166,7 +1208,7 @@ Check the CRL for a whole certificate chain
.B TLSCRLFile <filename>
Specifies a file containing a Certificate Revocation List to be used
for verifying that certificates have not been revoked. This directive is
-only valid when using GNUtls.
+only valid when using GnuTLS and Mozilla NSS.
.SH GENERAL BACKEND OPTIONS
Options in this section only apply to the configuration file section
for the specified backend. They are supported by every