|
 |
dc8c34 |
From 3256d3368f8f68bb37a93e15a3c451f2229b6364 Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
dc8c34 |
Date: Sat, 11 Apr 2015 23:34:30 -0700
|
|
|
dc8c34 |
Subject: [PATCH 313/319] Ticket #47928 - Disable SSL v3, by default
|
|
|
dc8c34 |
[389-ds-base-1.2.11 only]
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Description: commit 17fc03cf1101135b99234f17efd3eb746626be1a introduced a
|
|
|
dc8c34 |
defect "bz 1210996 - TLS1 can't be turned off". This patch correctly sets
|
|
|
dc8c34 |
SSLv3 to minimum and maximum version if nsTLS1 is off. If both nsSSL3 and
|
|
|
dc8c34 |
nsTLS1 is off, it forces to enable nsTLS1 and log it in the error log.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
(cherry picked from commit f0d0930540bf41e5551fb629f18c35edcd67acfd)
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
ldap/servers/slapd/ssl.c | 12 ++++++++++--
|
|
|
dc8c34 |
1 file changed, 10 insertions(+), 2 deletions(-)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
|
|
|
dc8c34 |
index c30ebd6..5451d6e 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/ssl.c
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/ssl.c
|
|
|
dc8c34 |
@@ -1352,6 +1352,7 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
slapi_ch_free_string( &val );
|
|
|
dc8c34 |
+ freeConfigEntry( &e );
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
|
|
|
dc8c34 |
if (NSSVersionMin > 0) {
|
|
|
dc8c34 |
@@ -1359,9 +1360,16 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
|
|
|
dc8c34 |
/* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */
|
|
|
dc8c34 |
if (enableTLS1) {
|
|
|
dc8c34 |
NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
dc8c34 |
+ } else {
|
|
|
dc8c34 |
+ NSSVersionMin = SSL_LIBRARY_VERSION_3_0;
|
|
|
dc8c34 |
+ NSSVersionMax = SSL_LIBRARY_VERSION_3_0;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
if (enableSSL3) {
|
|
|
dc8c34 |
NSSVersionMin = SSL_LIBRARY_VERSION_3_0;
|
|
|
dc8c34 |
+ } else if (!enableTLS1) {
|
|
|
dc8c34 |
+ slapd_SSL_error("SSL Initialization 2: Both nsSSL3 and nsTLS1 are off. Enabling nsTLS1.");
|
|
|
dc8c34 |
+ NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
dc8c34 |
+ NSSVersionMax = enabledNSSVersions.max;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
slapdNSSVersions.min = NSSVersionMin;
|
|
|
dc8c34 |
slapdNSSVersions.max = NSSVersionMax;
|
|
|
dc8c34 |
@@ -1375,8 +1383,9 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
|
|
|
dc8c34 |
/* Set the restricted value to the cn=encryption entry */
|
|
|
dc8c34 |
} else {
|
|
|
dc8c34 |
slapd_SSL_error("SSL Initialization 2: "
|
|
|
dc8c34 |
- "Failed to set SSL range: min: %s, max: %s\n",
|
|
|
dc8c34 |
+ "Failed to set SSL range: min: %s, max: %s.",
|
|
|
dc8c34 |
mymin, mymax);
|
|
|
dc8c34 |
+ return 0;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
} else {
|
|
|
dc8c34 |
#endif
|
|
|
dc8c34 |
@@ -1401,7 +1410,6 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
|
|
|
dc8c34 |
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
#endif
|
|
|
dc8c34 |
- freeConfigEntry( &e );
|
|
|
dc8c34 |
|
|
|
dc8c34 |
if(( slapd_SSLclientAuth = config_get_SSLclientAuth()) != SLAPD_SSLCLIENTAUTH_OFF ) {
|
|
|
dc8c34 |
int err;
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
1.9.3
|
|
|
dc8c34 |
|