andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame 0302-Ticket-47996-ldclt-needs-to-support-SSL-Version-rang.patch

dc8c34
From f9592d83d8804ba9f39912679f6c87bc343ec719 Mon Sep 17 00:00:00 2001
dc8c34
From: Noriko Hosoi <nhosoi@redhat.com>
dc8c34
Date: Wed, 21 Jan 2015 17:36:29 -0800
dc8c34
Subject: [PATCH 302/305] Ticket #47996 - ldclt needs to support SSL Version
dc8c34
 range
dc8c34
dc8c34
Description: ldclt did not have a code to set the enabled SSL version.
dc8c34
This patch sets the range.min and range.max based upon the range that
dc8c34
the linked NSS provides.
dc8c34
dc8c34
https://fedorahosted.org/389/ticket/47996
dc8c34
dc8c34
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
dc8c34
dc8c34
(cherry picked from commit 7c30e11f6f337472dace6f146845bb14f5601e2b)
dc8c34
(cherry picked from commit 6431142506a05e9ef4c095b538d7d852f176e300)
dc8c34
(cherry picked from commit cef5810bd981d2080820ce58f20504fbfd95c54c)
dc8c34
(cherry picked from commit d26ed48cb78c034462757dece5dfcb2ef569bdd1)
dc8c34
---
dc8c34
 ldap/servers/slapd/tools/ldclt/ldapfct.c | 25 +++++++++++++++++--------
dc8c34
 1 file changed, 17 insertions(+), 8 deletions(-)
dc8c34
dc8c34
diff --git a/ldap/servers/slapd/tools/ldclt/ldapfct.c b/ldap/servers/slapd/tools/ldclt/ldapfct.c
dc8c34
index 8fd3304..1c9aea0 100644
dc8c34
--- a/ldap/servers/slapd/tools/ldclt/ldapfct.c
dc8c34
+++ b/ldap/servers/slapd/tools/ldclt/ldapfct.c
dc8c34
@@ -275,6 +275,7 @@ int ldclt_build_control( char *oid, BerElement *ber, int freeber, char iscritica
dc8c34
 #endif
dc8c34
 int ldclt_alloc_ber( LDAP *ld, BerElement **berp );
dc8c34
 
dc8c34
+static SSLVersionRange enabledNSSVersions;
dc8c34
 
dc8c34
 /* ****************************************************************************
dc8c34
 	FUNCTION :	my_ldap_err2string
dc8c34
@@ -647,14 +648,6 @@ ldclt_clientauth(thread_context	*tttctx, LDAP *ld, const char *path, const char
dc8c34
       thrdNum = tttctx->thrdNum;
dc8c34
   }
dc8c34
 
dc8c34
-  rc = NSS_Initialize(path, "", "", SECMOD_DB, NSS_INIT_READONLY);
dc8c34
-  if (rc != SECSuccess) {
dc8c34
-    printf ("ldclt[%d]: T%03d: Cannot NSS_Initialize(%s) %d\n",
dc8c34
-	    mctx.pid, thrdNum, path, PR_GetError());
dc8c34
-    fflush(stdout);
dc8c34
-    goto done;
dc8c34
-  }
dc8c34
-
dc8c34
   if ((colon = PL_strchr(certname, ':' ))) {
dc8c34
     token_name = PL_strndup(certname, colon-certname);
dc8c34
   }
dc8c34
@@ -741,6 +734,7 @@ connectToLDAP(thread_context *tttctx, const char *bufBindDN, const char *bufPass
dc8c34
   int thrdNum = 0;
dc8c34
   int ret = -1;
dc8c34
   int binded = 0;
dc8c34
+  SSLVersionRange range;
dc8c34
 
dc8c34
   if (tttctx) {
dc8c34
     thrdNum = tttctx->thrdNum;
dc8c34
@@ -787,6 +781,21 @@ connectToLDAP(thread_context *tttctx, const char *bufBindDN, const char *bufPass
dc8c34
       free(certdir);
dc8c34
       goto done;
dc8c34
     }
dc8c34
+	/* Initialize NSS */
dc8c34
+    ret = NSS_Initialize(certdir, "", "", SECMOD_DB, NSS_INIT_READONLY);
dc8c34
+    if (ret != SECSuccess) {
dc8c34
+      printf ("ldclt[%d]: T%03d: Cannot NSS_Initialize(%s) %d\n",
dc8c34
+              mctx.pid, thrdNum, certdir, PR_GetError());
dc8c34
+      fflush(stdout);
dc8c34
+      goto done;
dc8c34
+    }
dc8c34
+
dc8c34
+	/* Set supported SSL version range. */
dc8c34
+    SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
dc8c34
+    range.min = enabledNSSVersions.min;
dc8c34
+    range.max = enabledNSSVersions.max;
dc8c34
+    SSL_VersionRangeSetDefault(ssl_variant_stream, &range);
dc8c34
+
dc8c34
     if ((mode & CLTAUTH) &&
dc8c34
         (ret = ldclt_clientauth(tttctx, ld, certdir, mctx.cltcertname, mctx.keydbpin))) {
dc8c34
       free(certdir);
dc8c34
-- 
dc8c34
1.9.3
dc8c34