|
 |
dc8c34 |
From f9592d83d8804ba9f39912679f6c87bc343ec719 Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
dc8c34 |
Date: Wed, 21 Jan 2015 17:36:29 -0800
|
|
|
dc8c34 |
Subject: [PATCH 302/305] Ticket #47996 - ldclt needs to support SSL Version
|
|
|
dc8c34 |
range
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Description: ldclt did not have a code to set the enabled SSL version.
|
|
|
dc8c34 |
This patch sets the range.min and range.max based upon the range that
|
|
|
dc8c34 |
the linked NSS provides.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
https://fedorahosted.org/389/ticket/47996
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
(cherry picked from commit 7c30e11f6f337472dace6f146845bb14f5601e2b)
|
|
|
dc8c34 |
(cherry picked from commit 6431142506a05e9ef4c095b538d7d852f176e300)
|
|
|
dc8c34 |
(cherry picked from commit cef5810bd981d2080820ce58f20504fbfd95c54c)
|
|
|
dc8c34 |
(cherry picked from commit d26ed48cb78c034462757dece5dfcb2ef569bdd1)
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
ldap/servers/slapd/tools/ldclt/ldapfct.c | 25 +++++++++++++++++--------
|
|
|
dc8c34 |
1 file changed, 17 insertions(+), 8 deletions(-)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/tools/ldclt/ldapfct.c b/ldap/servers/slapd/tools/ldclt/ldapfct.c
|
|
|
dc8c34 |
index 8fd3304..1c9aea0 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/tools/ldclt/ldapfct.c
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/tools/ldclt/ldapfct.c
|
|
|
dc8c34 |
@@ -275,6 +275,7 @@ int ldclt_build_control( char *oid, BerElement *ber, int freeber, char iscritica
|
|
|
dc8c34 |
#endif
|
|
|
dc8c34 |
int ldclt_alloc_ber( LDAP *ld, BerElement **berp );
|
|
|
dc8c34 |
|
|
|
dc8c34 |
+static SSLVersionRange enabledNSSVersions;
|
|
|
dc8c34 |
|
|
|
dc8c34 |
/* ****************************************************************************
|
|
|
dc8c34 |
FUNCTION : my_ldap_err2string
|
|
|
dc8c34 |
@@ -647,14 +648,6 @@ ldclt_clientauth(thread_context *tttctx, LDAP *ld, const char *path, const char
|
|
|
dc8c34 |
thrdNum = tttctx->thrdNum;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
- rc = NSS_Initialize(path, "", "", SECMOD_DB, NSS_INIT_READONLY);
|
|
|
dc8c34 |
- if (rc != SECSuccess) {
|
|
|
dc8c34 |
- printf ("ldclt[%d]: T%03d: Cannot NSS_Initialize(%s) %d\n",
|
|
|
dc8c34 |
- mctx.pid, thrdNum, path, PR_GetError());
|
|
|
dc8c34 |
- fflush(stdout);
|
|
|
dc8c34 |
- goto done;
|
|
|
dc8c34 |
- }
|
|
|
dc8c34 |
-
|
|
|
dc8c34 |
if ((colon = PL_strchr(certname, ':' ))) {
|
|
|
dc8c34 |
token_name = PL_strndup(certname, colon-certname);
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
@@ -741,6 +734,7 @@ connectToLDAP(thread_context *tttctx, const char *bufBindDN, const char *bufPass
|
|
|
dc8c34 |
int thrdNum = 0;
|
|
|
dc8c34 |
int ret = -1;
|
|
|
dc8c34 |
int binded = 0;
|
|
|
dc8c34 |
+ SSLVersionRange range;
|
|
|
dc8c34 |
|
|
|
dc8c34 |
if (tttctx) {
|
|
|
dc8c34 |
thrdNum = tttctx->thrdNum;
|
|
|
dc8c34 |
@@ -787,6 +781,21 @@ connectToLDAP(thread_context *tttctx, const char *bufBindDN, const char *bufPass
|
|
|
dc8c34 |
free(certdir);
|
|
|
dc8c34 |
goto done;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
+ /* Initialize NSS */
|
|
|
dc8c34 |
+ ret = NSS_Initialize(certdir, "", "", SECMOD_DB, NSS_INIT_READONLY);
|
|
|
dc8c34 |
+ if (ret != SECSuccess) {
|
|
|
dc8c34 |
+ printf ("ldclt[%d]: T%03d: Cannot NSS_Initialize(%s) %d\n",
|
|
|
dc8c34 |
+ mctx.pid, thrdNum, certdir, PR_GetError());
|
|
|
dc8c34 |
+ fflush(stdout);
|
|
|
dc8c34 |
+ goto done;
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ /* Set supported SSL version range. */
|
|
|
dc8c34 |
+ SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
|
|
|
dc8c34 |
+ range.min = enabledNSSVersions.min;
|
|
|
dc8c34 |
+ range.max = enabledNSSVersions.max;
|
|
|
dc8c34 |
+ SSL_VersionRangeSetDefault(ssl_variant_stream, &range);
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
if ((mode & CLTAUTH) &&
|
|
|
dc8c34 |
(ret = ldclt_clientauth(tttctx, ld, certdir, mctx.cltcertname, mctx.keydbpin))) {
|
|
|
dc8c34 |
free(certdir);
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
1.9.3
|
|
|
dc8c34 |
|