andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame SOURCES/0022-Ticket-47928-Disable-SSL-v3-by-default.patch

f92ce9
From 09f4f3932881ce97722480ef4f2196ed35a49ab3 Mon Sep 17 00:00:00 2001
f92ce9
From: Noriko Hosoi <nhosoi@redhat.com>
f92ce9
Date: Wed, 22 Oct 2014 14:43:26 -0700
f92ce9
Subject: [PATCH] Ticket #47928 - Disable SSL v3, by default.
f92ce9
f92ce9
Description:
f92ce9
There are 2 ways to specify the SSL version in in cn=encryption,cn=config.
f92ce9
 . existing method (SSL version info)
f92ce9
     nsSSL3: on|off
f92ce9
	 nsTLS1: on|off
f92ce9
 . new method (SSL version range)
f92ce9
     sslVersionMin: <VERSION>
f92ce9
	 sslVersionMax: <VERSION>
f92ce9
   where <VERSION> takes "SSL3", "TLS1.0" through "TLS1.2".
f92ce9
f92ce9
If no SSL version info nor range are set in cn=encryption,cn=config,
f92ce9
     nsSSL3: off
f92ce9
	 nsTLS1: on
f92ce9
     sslVersionMin is TLS1.1
f92ce9
     sslVersionMax is TLS1.2
f92ce9
f92ce9
If SSL version info and range have conflicts, a tighter setting is
f92ce9
chosen.  For instance, the case of sslVersionMin: TLS1.1; nsTLS1: off;
f92ce9
nsSSL3: on, the range setting is respected.
f92ce9
     nsSSL3: off
f92ce9
	 nsTLS1: on
f92ce9
     sslVersionMin is TLS1.1
f92ce9
     sslVersionMax is TLS1.2
f92ce9
"SSL alert: Configured range: min: TLS1.1, max: TLS1.2; but nsSSL3 is on
f92ce9
and nsTLS1 is off. Respect the configured range." is logged in the error
f92ce9
log.
f92ce9
f92ce9
When cn=encryption,cn=config is searched, the SSL version info as well
f92ce9
as the range are retrieved from the settings in ssl.c and returned.
f92ce9
E.g.,
f92ce9
dn: cn=encryption,cn=config
f92ce9
nsSSl2: off
f92ce9
nsSSL3: off
f92ce9
nsTLS1: on
f92ce9
sslVersionMin: TLS1.1
f92ce9
sslVersionMax: TLS1.2
f92ce9
f92ce9
https://fedorahosted.org/389/ticket/47928
f92ce9
f92ce9
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
f92ce9
f92ce9
(cherry picked from commit c1ecd8b659a0b8f7d84f8157cb69810c85ee26e4)
f92ce9
(cherry picked from commit 524d127f14d3bb666d8ac11a277c4ef60693045f)
f92ce9
---
f92ce9
 ldap/servers/slapd/fedse.c |  43 +++++-
f92ce9
 ldap/servers/slapd/ssl.c   | 360 ++++++++++++++++++++++++++++-----------------
f92ce9
 2 files changed, 266 insertions(+), 137 deletions(-)
f92ce9
f92ce9
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
f92ce9
index 1f455e5..87f45a1 100644
f92ce9
--- a/ldap/servers/slapd/fedse.c
f92ce9
+++ b/ldap/servers/slapd/fedse.c
f92ce9
@@ -77,6 +77,8 @@
f92ce9
 
f92ce9
 extern char ** getSupportedCiphers();
f92ce9
 extern char ** getEnabledCiphers();
f92ce9
+extern int getSSLVersionInfo(int *ssl2, int *ssl3, int *tls1);
f92ce9
+extern int getSSLVersionRange(char **min, char **max);
f92ce9
 
f92ce9
 /* Note: These DNs are no need to be normalized */
f92ce9
 static const char *internal_entries[] =
f92ce9
@@ -108,8 +110,7 @@ static const char *internal_entries[] =
f92ce9
     "cn:encryption\n"
f92ce9
 	"nsSSLSessionTimeout:0\n"
f92ce9
 	"nsSSLClientAuth:allowed\n"
f92ce9
-	"nsSSL2:off\n"
f92ce9
-	"nsSSL3:off\n",
f92ce9
+	"sslVersionMin:tls1.1\n",
f92ce9
 
f92ce9
     "dn:cn=monitor\n"
f92ce9
     "objectclass:top\n"
f92ce9
@@ -1688,15 +1689,38 @@ dont_allow_that(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, int
f92ce9
     return SLAPI_DSE_CALLBACK_ERROR;
f92ce9
 }
f92ce9
 
f92ce9
+static void
f92ce9
+setEntrySSLVersion(Slapi_Entry *entry, char *sslversion, char *newval)
f92ce9
+{
f92ce9
+    char *v = slapi_entry_attr_get_charptr(entry, sslversion);
f92ce9
+
f92ce9
+    if (v) {
f92ce9
+        if (PL_strcasecmp(v, newval)) { /* did not match */
f92ce9
+            struct berval bv;
f92ce9
+            struct berval *bvals[2];
f92ce9
+            bvals[0] = &bv;
f92ce9
+            bvals[1] = NULL;
f92ce9
+            bv.bv_val = newval;
f92ce9
+            bv.bv_len = strlen(bv.bv_val);
f92ce9
+            slapi_entry_attr_replace(entry, sslversion, bvals );
f92ce9
+        }
f92ce9
+        slapi_ch_free_string(&v);
f92ce9
+    } else {
f92ce9
+        slapi_entry_attr_set_charptr(entry, sslversion, newval);
f92ce9
+    }
f92ce9
+}
f92ce9
+
f92ce9
 /*This function takes care of the search on the attribute nssslsupportedciphers in cn=encryption,cn=config" entry. This would get the list of supported ciphers from the table in ssl.c and always return that value */
f92ce9
 int
f92ce9
 search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter, int *returncode, char *returntext, void *arg)
f92ce9
 {
f92ce9
-
f92ce9
     struct berval           *vals[2];
f92ce9
     struct berval           val;
f92ce9
     char ** cipherList = getSupportedCiphers(); /*Get the string array of supported ciphers here */
f92ce9
     char ** enabledCipherList = getEnabledCiphers(); /*Get the string array of enabled ciphers here */
f92ce9
+    int ssl2, ssl3, tls1;
f92ce9
+    char *sslVersionMin = NULL;
f92ce9
+    char *sslVersionMax = NULL;
f92ce9
     vals[0] = &val;
f92ce9
     vals[1] = NULL;
f92ce9
 
f92ce9
@@ -1720,6 +1744,19 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
f92ce9
         enabledCipherList++;
f92ce9
     }
f92ce9
 
f92ce9
+    if (!getSSLVersionInfo(&ssl2, &ssl3, &tls1)) { /* 0 if the version info is initialized */
f92ce9
+        setEntrySSLVersion(entry, "nsSSL2", ssl2?"on":"off");
f92ce9
+        setEntrySSLVersion(entry, "nsSSL3", ssl3?"on":"off");
f92ce9
+        setEntrySSLVersion(entry, "nsTLS1", tls1?"on":"off");
f92ce9
+    }
f92ce9
+
f92ce9
+    if (!getSSLVersionRange(&sslVersionMin, &sslVersionMax)) { /* 0 if the range is initialized or supported */
f92ce9
+        setEntrySSLVersion(entry, "sslVersionMin", sslVersionMin);
f92ce9
+        setEntrySSLVersion(entry, "sslVersionMax", sslVersionMax);
f92ce9
+    }
f92ce9
+    slapi_ch_free_string(&sslVersionMin);
f92ce9
+    slapi_ch_free_string(&sslVersionMax);
f92ce9
+
f92ce9
     return SLAPI_DSE_CALLBACK_OK;
f92ce9
 }
f92ce9
 
f92ce9
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
f92ce9
index 5f9916b..26ef251 100644
f92ce9
--- a/ldap/servers/slapd/ssl.c
f92ce9
+++ b/ldap/servers/slapd/ssl.c
f92ce9
@@ -81,17 +81,25 @@
f92ce9
 #endif
f92ce9
 
f92ce9
 #if NSS_VMAJOR * 100 + NSS_VMINOR >= 315
f92ce9
+/* TLS1.2 is defined in RFC5246. */
f92ce9
 #define NSS_TLS12 1
f92ce9
 #elif NSS_VMAJOR * 100 + NSS_VMINOR >= 314
f92ce9
+/* TLS1.1 is defined in RFC4346. */
f92ce9
 #define NSS_TLS11 1
f92ce9
 #else
f92ce9
+/* 
f92ce9
+ * TLS1.0 is defined in RFC2246.
f92ce9
+ * Close to SSL 3.0.
f92ce9
+ */
f92ce9
 #define NSS_TLS10 1
f92ce9
 #endif
f92ce9
 
f92ce9
 extern char* slapd_SSL3ciphers;
f92ce9
 extern symbol_t supported_ciphers[];
f92ce9
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
f92ce9
-static SSLVersionRange    enabledNSSVersions;
f92ce9
+static SSLVersionRange enabledNSSVersions;
f92ce9
+static SSLVersionRange slapdNSSVersions;
f92ce9
+static char *getNSSVersion_str(PRUint16 vnum);
f92ce9
 #endif
f92ce9
 
f92ce9
 /* dongle_file_name is set in slapd_nss_init when we set the path for the
f92ce9
@@ -238,6 +246,20 @@ static lookup_cipher _lookup_cipher[] = {
f92ce9
     {NULL, NULL}
f92ce9
 };
f92ce9
 
f92ce9
+/* Supported SSL versions  */
f92ce9
+/* nsSSL2: on -- we don't allow this any more. */
f92ce9
+PRBool enableSSL2 = PR_FALSE;
f92ce9
+/*
f92ce9
+ * nsSSL3: on -- disable SSLv3 by default.
f92ce9
+ * Corresonding to SSL_LIBRARY_VERSION_3_0 and SSL_LIBRARY_VERSION_TLS_1_0 
f92ce9
+ */
f92ce9
+PRBool enableSSL3 = PR_FALSE;
f92ce9
+/*
f92ce9
+ * nsTLS1: on -- enable TLS1 by default.
f92ce9
+ * Corresonding to SSL_LIBRARY_VERSION_TLS_1_1 and greater.
f92ce9
+ */
f92ce9
+PRBool enableTLS1 = PR_TRUE;
f92ce9
+
f92ce9
 static void
f92ce9
 slapd_SSL_report(int degree, char *fmt, va_list args)
f92ce9
 {
f92ce9
@@ -372,6 +394,36 @@ cipher_check_fips(int idx, char ***suplist, char ***unsuplist)
f92ce9
     return rc;
f92ce9
 }
f92ce9
 
f92ce9
+int
f92ce9
+getSSLVersionInfo(int *ssl2, int *ssl3, int *tls1)
f92ce9
+{
f92ce9
+    if (!slapd_ssl_listener_is_initialized()) {
f92ce9
+        return -1;
f92ce9
+    }
f92ce9
+    *ssl2 = enableSSL2;
f92ce9
+    *ssl3 = enableSSL3;
f92ce9
+    *tls1 = enableTLS1;
f92ce9
+    return 0;
f92ce9
+}
f92ce9
+
f92ce9
+int
f92ce9
+getSSLVersionRange(char **min, char **max)
f92ce9
+{
f92ce9
+    if (!slapd_ssl_listener_is_initialized()) {
f92ce9
+        return -1;
f92ce9
+    }
f92ce9
+    if ((NULL == min) || (NULL == max)) {
f92ce9
+        return -1;
f92ce9
+    }
f92ce9
+#if defined(NSS_TLS10)
f92ce9
+    return -1; /* not supported */
f92ce9
+#else /* NSS_TLS11 or newer */
f92ce9
+    *min = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.min));
f92ce9
+    *max = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+    return 0;
f92ce9
+#endif
f92ce9
+}
f92ce9
+
f92ce9
 static void
f92ce9
 _conf_init_ciphers()
f92ce9
 {
f92ce9
@@ -834,89 +886,132 @@ getNSSVersion_str(PRUint16 vnum)
f92ce9
     return vstr;
f92ce9
 }
f92ce9
 
f92ce9
-/* restrict SSLVersionRange with the existing SSL config params (nsSSL3, nsTLS1) */
f92ce9
+#define SSLVGreater(x, y) (((x) > (y)) ? (x) : (y))
f92ce9
+
f92ce9
+/*
f92ce9
+ * Check the SSLVersionRange and the old style config params (nsSSL3, nsTLS1) .
f92ce9
+ * If there are conflicts, choose the secure setting.
f92ce9
+ */
f92ce9
 static void
f92ce9
-restrict_SSLVersionRange(SSLVersionRange *sslversion, PRBool enableSSL3, PRBool enableTLS1)
f92ce9
+restrict_SSLVersionRange(void)
f92ce9
 {
f92ce9
-    int rc = 0;
f92ce9
+    if (slapdNSSVersions.min > slapdNSSVersions.max) {
f92ce9
+        slapd_SSL_warn("Invalid configured SSL range: min: %s, max: %s; "
f92ce9
+                       "Resetting the max to the supported max SSL version: %s.",
f92ce9
+                       getNSSVersion_str(slapdNSSVersions.min),
f92ce9
+                       getNSSVersion_str(slapdNSSVersions.max),
f92ce9
+                       getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+        slapdNSSVersions.max = enabledNSSVersions.max;
f92ce9
+    }
f92ce9
     if (enableSSL3) {
f92ce9
+        slapd_SSL_warn("Found unsecure configuration: nsSSL3: on; "
f92ce9
+                       "We strongly recommend to disable nsSSL3 in %s.", configDN);
f92ce9
         if (enableTLS1) {
f92ce9
-            /* no restriction */
f92ce9
-            ;
f92ce9
+            if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
+                slapd_SSL_warn("Configured range: min: %s, max: %s; "
f92ce9
+                               "but both nsSSL3 and nsTLS1 are on. "
f92ce9
+                               "Respect the supported range.",
f92ce9
+                               getNSSVersion_str(slapdNSSVersions.min),
f92ce9
+                               getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+                enableSSL3 = PR_FALSE;
f92ce9
+            }
f92ce9
+            if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
f92ce9
+                slapd_SSL_warn("Configured range: min: %s, max: %s; "
f92ce9
+                               "but both nsSSL3 and nsTLS1 are on. "
f92ce9
+                               "Resetting the max to the supported max SSL version: %s.",
f92ce9
+                               getNSSVersion_str(slapdNSSVersions.min),
f92ce9
+                               getNSSVersion_str(slapdNSSVersions.max),
f92ce9
+                               getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+                slapdNSSVersions.max = enabledNSSVersions.max;
f92ce9
+            }
f92ce9
         } else {
f92ce9
-            if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_3_0) {
f92ce9
-                slapd_SSL_warn("Security Initialization: "
f92ce9
-                               "Supported range: min: %s, max: %s; "
f92ce9
-                               "but the SSL configuration of the server disables nsTLS1. "
f92ce9
-                               "Ignoring nsTLS1: off\n",
f92ce9
+            /* nsTLS1 is explicitly set to off. */
f92ce9
+            if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
+                slapd_SSL_warn("Supported range: min: %s, max: %s; "
f92ce9
+                               "but nsSSL3 is on and nsTLS1 is off. "
f92ce9
+                               "Respect the supported range.",
f92ce9
                                getNSSVersion_str(enabledNSSVersions.min),
f92ce9
                                getNSSVersion_str(enabledNSSVersions.max));
f92ce9
-                rc = 1;
f92ce9
-            } else if (sslversion->min > SSL_LIBRARY_VERSION_3_0) {
f92ce9
-                slapd_SSL_warn("Security Initialization: "
f92ce9
-                               "Configured range: min: %s, max: %s; "
f92ce9
-                               "but the SSL configuration of the server disables nsTLS1. "
f92ce9
-                               "Ignoring nsTLS1: off\n",
f92ce9
-                               getNSSVersion_str(sslversion->min),
f92ce9
-                               getNSSVersion_str(sslversion->max));
f92ce9
-                rc = 1;
f92ce9
-            } else if (sslversion->max < SSL_LIBRARY_VERSION_3_0) {
f92ce9
-                slapd_SSL_warn("Security Initialization: "
f92ce9
-                               "Configured range: min: %s, max: %s; "
f92ce9
-                               "but the SSL configuration of the server enabled nsSSL3. "
f92ce9
-                               "Ignoring max: %s\n",
f92ce9
-                               getNSSVersion_str(sslversion->min),
f92ce9
-                               getNSSVersion_str(sslversion->max),
f92ce9
-                               getNSSVersion_str(sslversion->max));
f92ce9
-                sslversion->min = SSL_LIBRARY_VERSION_3_0; /* don't enable SSL2 */
f92ce9
-                sslversion->max = SSL_LIBRARY_VERSION_3_0;
f92ce9
-                rc = 1;
f92ce9
+                slapdNSSVersions.min = SSLVGreater(slapdNSSVersions.min, enabledNSSVersions.min);
f92ce9
+                enableSSL3 = PR_FALSE;
f92ce9
+                enableTLS1 = PR_TRUE;
f92ce9
+            } else if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) { 
f92ce9
+                slapd_SSL_warn("Configured range: min: %s, max: %s; "
f92ce9
+                               "but nsSSL3 is on and nsTLS1 is off. "
f92ce9
+                               "Respect the configured range.",
f92ce9
+                               getNSSVersion_str(slapdNSSVersions.min),
f92ce9
+                               getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+                enableSSL3 = PR_FALSE;
f92ce9
+                enableTLS1 = PR_TRUE;
f92ce9
+            } else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
f92ce9
+                slapd_SSL_warn("Too low configured range: min: %s, max: %s; "
f92ce9
+                               "Resetting the range to: min: %s, max: %s.",
f92ce9
+                               getNSSVersion_str(slapdNSSVersions.min),
f92ce9
+                               getNSSVersion_str(slapdNSSVersions.max),
f92ce9
+                               getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0),
f92ce9
+                               getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0));
f92ce9
+                slapdNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
f92ce9
+                slapdNSSVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
f92ce9
             } else {
f92ce9
-                sslversion->min = SSL_LIBRARY_VERSION_3_0; /* don't enable SSL2 */
f92ce9
-                sslversion->max = SSL_LIBRARY_VERSION_3_0;
f92ce9
+                /* 
f92ce9
+                 * slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&
f92ce9
+                 * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1
f92ce9
+                 */
f92ce9
+                slapd_SSL_warn("Configured range: min: %s, max: %s; "
f92ce9
+                               "but nsSSL3 is on and nsTLS1 is off. "
f92ce9
+                               "Respect the configured range.",
f92ce9
+                               getNSSVersion_str(slapdNSSVersions.min),
f92ce9
+                               getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+                enableTLS1 = PR_TRUE;
f92ce9
             }
f92ce9
         }
f92ce9
     } else {
f92ce9
         if (enableTLS1) {
f92ce9
-            if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
-                slapd_SSL_warn("Security Initialization: "
f92ce9
-                               "Supported range: min: %s, max: %s; "
f92ce9
-                               "but the SSL configuration of the server disables nsSSL3. ",
f92ce9
-                               "Ignoring nsSSL3: off\n",
f92ce9
+            if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
f92ce9
+                /* TLS1 is on, but TLS1 is not supported by NSS.  */
f92ce9
+                slapd_SSL_warn("Supported range: min: %s, max: %s; "
f92ce9
+                               "Setting the version range based upon the supported range.",
f92ce9
                                getNSSVersion_str(enabledNSSVersions.min),
f92ce9
                                getNSSVersion_str(enabledNSSVersions.max));
f92ce9
-                sslversion->min = SSL_LIBRARY_VERSION_3_0; /* don't enable SSL2 */
f92ce9
-                sslversion->max = SSL_LIBRARY_VERSION_3_0;
f92ce9
-                rc = 1;
f92ce9
-            } else if (sslversion->max < SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
-                slapd_SSL_warn("Security Initialization: "
f92ce9
-                               "Configured range: min: %s, max: %s; "
f92ce9
-                               "but the SSL configuration of the server disables nsSSL3. "
f92ce9
-                               "Ignoring nsSSL3: off\n",
f92ce9
-                               getNSSVersion_str(sslversion->min),
f92ce9
-                               getNSSVersion_str(sslversion->max));
f92ce9
-                sslversion->min = SSL_LIBRARY_VERSION_3_0; /* don't enable SSL2 */
f92ce9
-                sslversion->max = SSL_LIBRARY_VERSION_3_0;
f92ce9
-                rc = 1;
f92ce9
-            } else if (sslversion->min < SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
-                sslversion->min = SSL_LIBRARY_VERSION_TLS_1_0;
f92ce9
+                slapdNSSVersions.max = enabledNSSVersions.max;
f92ce9
+                slapdNSSVersions.min = enabledNSSVersions.min;
f92ce9
+                enableSSL3 = PR_TRUE;
f92ce9
+                enableTLS1 = PR_FALSE;
f92ce9
+            } else if ((slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) ||
f92ce9
+                       (slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_1)) {
f92ce9
+                slapdNSSVersions.max = enabledNSSVersions.max;
f92ce9
+                slapdNSSVersions.min = SSLVGreater(SSL_LIBRARY_VERSION_TLS_1_1, enabledNSSVersions.min);
f92ce9
+                slapd_SSL_warn("Default SSL Version settings; "
f92ce9
+                               "Configuring the version range as min: %s, max: %s; ",
f92ce9
+                               getNSSVersion_str(slapdNSSVersions.min),
f92ce9
+                               getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+            } else {
f92ce9
+                /* 
f92ce9
+                 * slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_1 &&
f92ce9
+                 * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1
f92ce9
+                 */
f92ce9
+                ;
f92ce9
             }
f92ce9
         } else {
f92ce9
-            slapd_SSL_warn("Security Initialization: "
f92ce9
-                            "Supported range: min: %s, max: %s; "
f92ce9
-                            "but the SSL configuration of the server disables nsSSL3 and nsTLS1. "
f92ce9
-                            "Ignoring nsSSL3: off and nsTLS1: off\n",
f92ce9
-                            getNSSVersion_str(enabledNSSVersions.min),
f92ce9
-                            getNSSVersion_str(enabledNSSVersions.max));
f92ce9
-            rc = 1;
f92ce9
+            slapd_SSL_warn("Supported range: min: %s, max: %s; "
f92ce9
+                           "Respect the configured range.",
f92ce9
+                           getNSSVersion_str(enabledNSSVersions.min),
f92ce9
+                           getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+            /* nsTLS1 is explicitly set to off. */
f92ce9
+            if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
+                enableTLS1 = PR_TRUE;
f92ce9
+            } else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
f92ce9
+                enableSSL3 = PR_TRUE;
f92ce9
+            } else {
f92ce9
+                /* 
f92ce9
+                 * slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&
f92ce9
+                 * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1
f92ce9
+                 */
f92ce9
+                enableSSL3 = PR_TRUE;
f92ce9
+                enableTLS1 = PR_TRUE;
f92ce9
+            }
f92ce9
         }
f92ce9
     }
f92ce9
-    if (0 == rc) {
f92ce9
-        slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
f92ce9
-                        "SSL version range: min: %s, max: %s\n",
f92ce9
-                        getNSSVersion_str(sslversion->min),
f92ce9
-                        getNSSVersion_str(sslversion->max));
f92ce9
-    }
f92ce9
 }
f92ce9
 #endif
f92ce9
 
f92ce9
@@ -949,7 +1044,7 @@ slapd_nss_init(int init_ssl, int config_available)
f92ce9
 	SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
f92ce9
 	
f92ce9
 	slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization",
f92ce9
-	                "supported range: min: %s, max: %s\n",
f92ce9
+	                "supported range by NSS: min: %s, max: %s\n",
f92ce9
 	                getNSSVersion_str(enabledNSSVersions.min),
f92ce9
 	                getNSSVersion_str(enabledNSSVersions.max));
f92ce9
 #endif
f92ce9
@@ -1120,11 +1215,9 @@ slapd_ssl_init()
f92ce9
     PRErrorCode errorCode;
f92ce9
     char ** family_list;
f92ce9
     char *val = NULL;
f92ce9
-    char cipher_string[1024];
f92ce9
     int rv = 0;
f92ce9
     PK11SlotInfo *slot;
f92ce9
     Slapi_Entry *entry = NULL;
f92ce9
-    int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
f92ce9
 
f92ce9
     /* Get general information */
f92ce9
 
f92ce9
@@ -1162,23 +1255,6 @@ slapd_ssl_init()
f92ce9
         freeConfigEntry( &entry );
f92ce9
         return -1;
f92ce9
     }
f92ce9
-
f92ce9
-    val = slapi_entry_attr_get_charptr(entry, "allowWeakCipher");
f92ce9
-    if (val) {
f92ce9
-        if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || 
f92ce9
-                !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
f92ce9
-            allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
f92ce9
-        } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") || 
f92ce9
-                !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
f92ce9
-            allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
f92ce9
-        } else {
f92ce9
-            slapd_SSL_warn("The value of allowWeakCipher \"%s\" in "
f92ce9
-                           "cn=encryption,cn=config is invalid. "
f92ce9
-                           "Ignoring it and set it to default.", val);
f92ce9
-        }
f92ce9
-    }
f92ce9
-    slapi_ch_free((void **) &val;;
f92ce9
- 
f92ce9
     if ((family_list = getChildren(configDN))) {
f92ce9
         char **family;
f92ce9
         char *token;
f92ce9
@@ -1252,22 +1328,6 @@ slapd_ssl_init()
f92ce9
     /* ugaston- Cipher preferences must be set before any sslSocket is created
f92ce9
      * for such sockets to take preferences into account.
f92ce9
      */
f92ce9
-
f92ce9
-    /* Step Three.5: Set SSL cipher preferences */
f92ce9
-    *cipher_string = 0;
f92ce9
-    if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank"))
f92ce9
-         PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
f92ce9
-    slapi_ch_free((void **) &ciphers);
f92ce9
-
f92ce9
-    if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
f92ce9
-        errorCode = PR_GetError();
f92ce9
-        slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
f92ce9
-            "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", 
f92ce9
-            val, errorCode, slapd_pr_strerror(errorCode));
f92ce9
-        rv = 3;
f92ce9
-        slapi_ch_free((void **) &val;;
f92ce9
-    }
f92ce9
-
f92ce9
     freeConfigEntry( &entry );
f92ce9
  
f92ce9
     /* Introduce a way of knowing whether slapd_ssl_init has
f92ce9
@@ -1308,7 +1368,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                 if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_2) {
f92ce9
                    slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                   "\"%s\" is lower than the supported version; "
f92ce9
-                                  "the default value \"%s\" is used.\n",
f92ce9
+                                  "the default value \"%s\" is used.",
f92ce9
                                   val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
                    (*rval) = enabledNSSVersions.min;
f92ce9
                 } else {
f92ce9
@@ -1319,7 +1379,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     /* never happens */
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                    "\"%s\" is higher than the supported version; "
f92ce9
-                                   "the default value \"%s\" is used.\n",
f92ce9
+                                   "the default value \"%s\" is used.",
f92ce9
                                    val, getNSSVersion_str(enabledNSSVersions.max));
f92ce9
                    (*rval) = enabledNSSVersions.max;
f92ce9
                 } else {
f92ce9
@@ -1331,7 +1391,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                 if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_3_0) {
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                    "\"%s\" is lower than the supported version; "
f92ce9
-                                   "the default value \"%s\" is used.\n",
f92ce9
+                                   "the default value \"%s\" is used.",
f92ce9
                                    val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
                    (*rval) = enabledNSSVersions.min;
f92ce9
                 } else {
f92ce9
@@ -1342,7 +1402,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     /* never happens */
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                    "\"%s\" is higher than the supported version; "
f92ce9
-                                   "the default value \"%s\" is used.\n",
f92ce9
+                                   "the default value \"%s\" is used.",
f92ce9
                                    val, getNSSVersion_str(enabledNSSVersions.max));
f92ce9
                     (*rval) = enabledNSSVersions.max;
f92ce9
                 } else {
f92ce9
@@ -1352,12 +1412,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
         } else {
f92ce9
             if (ismin) {
f92ce9
                 slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
-                               "\"%s\" is invalid; the default value \"%s\" is used.\n",
f92ce9
+                               "\"%s\" is invalid; the default value \"%s\" is used.",
f92ce9
                                val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
                 (*rval) = enabledNSSVersions.min;
f92ce9
             } else {
f92ce9
                 slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
-                               "\"%s\" is invalid; the default value \"%s\" is used.\n",
f92ce9
+                               "\"%s\" is invalid; the default value \"%s\" is used.",
f92ce9
                                val, getNSSVersion_str(enabledNSSVersions.max));
f92ce9
                 (*rval) = enabledNSSVersions.max;
f92ce9
             }
f92ce9
@@ -1371,7 +1431,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                 if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                    "\"%s\" is lower than the supported version; "
f92ce9
-                                   "the default value \"%s\" is used.\n",
f92ce9
+                                   "the default value \"%s\" is used.",
f92ce9
                                    val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
                    (*rval) = enabledNSSVersions.min;
f92ce9
                 } else {
f92ce9
@@ -1382,7 +1442,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     /* never happens */
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                    "\"%s\" is higher than the supported version; "
f92ce9
-                                   "the default value \"%s\" is used.\n",
f92ce9
+                                   "the default value \"%s\" is used.",
f92ce9
                                    val, getNSSVersion_str(enabledNSSVersions.max));
f92ce9
                     (*rval) = enabledNSSVersions.max;
f92ce9
                 } else {
f92ce9
@@ -1394,7 +1454,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                 if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_1) {
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                    "\"%s\" is lower than the supported version; "
f92ce9
-                                   "the default value \"%s\" is used.\n",
f92ce9
+                                   "the default value \"%s\" is used.",
f92ce9
                                    val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
                    (*rval) = enabledNSSVersions.min;
f92ce9
                 } else {
f92ce9
@@ -1405,7 +1465,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     /* never happens */
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                    "\"%s\" is higher than the supported version; "
f92ce9
-                                   "the default value \"%s\" is used.\n",
f92ce9
+                                   "the default value \"%s\" is used.",
f92ce9
                                    val, getNSSVersion_str(enabledNSSVersions.max));
f92ce9
                     (*rval) = enabledNSSVersions.max;
f92ce9
                 } else {
f92ce9
@@ -1418,7 +1478,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                 if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) {
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                    "\"%s\" is lower than the supported version; "
f92ce9
-                                   "the default value \"%s\" is used.\n",
f92ce9
+                                   "the default value \"%s\" is used.",
f92ce9
                                    val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
                    (*rval) = enabledNSSVersions.min;
f92ce9
                 } else {
f92ce9
@@ -1429,7 +1489,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     /* never happens */
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                    "\"%s\" is higher than the supported version; "
f92ce9
-                                   "the default value \"%s\" is used.\n",
f92ce9
+                                   "the default value \"%s\" is used.",
f92ce9
                                    val, getNSSVersion_str(enabledNSSVersions.max));
f92ce9
                     (*rval) = enabledNSSVersions.max;
f92ce9
                 } else {
f92ce9
@@ -1441,13 +1501,13 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
             if (ismin) {
f92ce9
                 slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                "\"%s\" is out of the range of the supported version; "
f92ce9
-                               "the default value \"%s\" is used.\n",
f92ce9
+                               "the default value \"%s\" is used.",
f92ce9
                                val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
                 (*rval) = enabledNSSVersions.min;
f92ce9
             } else {
f92ce9
                 slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                "\"%s\" is out of the range of the supported version; "
f92ce9
-                               "the default value \"%s\" is used.\n",
f92ce9
+                               "the default value \"%s\" is used.",
f92ce9
                                val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
                 (*rval) = enabledNSSVersions.max;
f92ce9
             }
f92ce9
@@ -1455,12 +1515,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
     } else {
f92ce9
         if (ismin) {
f92ce9
             slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
-                           "\"%s\" is invalid; the default value \"%s\" is used.\n",
f92ce9
+                           "\"%s\" is invalid; the default value \"%s\" is used.",
f92ce9
                            val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
             (*rval) = enabledNSSVersions.min;
f92ce9
         } else {
f92ce9
             slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
-                           "\"%s\" is invalid; the default value \"%s\" is used.\n",
f92ce9
+                           "\"%s\" is invalid; the default value \"%s\" is used.",
f92ce9
                            val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
             (*rval) = enabledNSSVersions.max;
f92ce9
         }
f92ce9
@@ -1490,14 +1550,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
f92ce9
     int slapd_SSLclientAuth;
f92ce9
     char* tmpDir;
f92ce9
     Slapi_Entry *e = NULL;
f92ce9
-    PRBool enableSSL2 = PR_FALSE;
f92ce9
-    PRBool enableSSL3 = PR_TRUE;
f92ce9
-    PRBool enableTLS1 = PR_TRUE;
f92ce9
     PRBool fipsMode = PR_FALSE;
f92ce9
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
f92ce9
     PRUint16 NSSVersionMin = enabledNSSVersions.min;
f92ce9
     PRUint16 NSSVersionMax = enabledNSSVersions.max;
f92ce9
 #endif
f92ce9
+    char cipher_string[1024];
f92ce9
+    int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
f92ce9
 
f92ce9
     /* turn off the PKCS11 pin interactive mode */
f92ce9
 #ifndef _WIN32
f92ce9
@@ -1839,6 +1898,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
f92ce9
             } else {
f92ce9
                 enableTLS1 = slapi_entry_attr_get_bool( e, "nsTLS1" );
f92ce9
             }
f92ce9
+        } else if (enabledNSSVersions.max > SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
+            enableTLS1 = PR_TRUE; /* If available, enable TLS1 */
f92ce9
         }
f92ce9
         slapi_ch_free_string( &val );
f92ce9
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
f92ce9
@@ -1853,14 +1914,12 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
f92ce9
         }
f92ce9
         slapi_ch_free_string( &val );
f92ce9
         if (NSSVersionMin > NSSVersionMax) {
f92ce9
-            slapd_SSL_warn("Security Initialization: The min value of NSS version range "
f92ce9
-                        "\"%s\" is greater than the max value \"%s\"; "
f92ce9
-                           "the default range \"%s\" - \"%s\" is used.\n",
f92ce9
+            slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\".",
f92ce9
                            getNSSVersion_str(NSSVersionMin), 
f92ce9
-                           getNSSVersion_str(NSSVersionMax),
f92ce9
-                           getNSSVersion_str(enabledNSSVersions.min),
f92ce9
+                           getNSSVersion_str(NSSVersionMax));
f92ce9
+            slapd_SSL_warn("Reset the max \"%s\" to supported max \"%s\".",
f92ce9
+                           getNSSVersion_str(NSSVersionMax), 
f92ce9
                            getNSSVersion_str(enabledNSSVersions.max));
f92ce9
-            NSSVersionMin = enabledNSSVersions.min;
f92ce9
             NSSVersionMax = enabledNSSVersions.max;
f92ce9
         }
f92ce9
 #endif
f92ce9
@@ -1868,18 +1927,21 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
f92ce9
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
f92ce9
     if (NSSVersionMin > 0) {
f92ce9
         /* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */
f92ce9
-        SSLVersionRange myNSSVersions;
f92ce9
-        myNSSVersions.min = NSSVersionMin;
f92ce9
-        myNSSVersions.max = NSSVersionMax;
f92ce9
-        restrict_SSLVersionRange(&myNSSVersions, enableSSL3, enableTLS1);
f92ce9
-        sslStatus = SSL_VersionRangeSet(pr_sock, &myNSSVersions);
f92ce9
+        slapdNSSVersions.min = NSSVersionMin;
f92ce9
+        slapdNSSVersions.max = NSSVersionMax;
f92ce9
+        restrict_SSLVersionRange();
f92ce9
+        slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
f92ce9
+                        "Configured SSL version range: min: %s, max: %s\n",
f92ce9
+                        getNSSVersion_str(slapdNSSVersions.min),
f92ce9
+                        getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+        sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);
f92ce9
         if (sslStatus == SECSuccess) {
f92ce9
             /* Set the restricted value to the cn=encryption entry */
f92ce9
         } else {
f92ce9
             slapd_SSL_error("SSL Initialization 2: "
f92ce9
                             "Failed to set SSL range: min: %s, max: %s\n",
f92ce9
-                            getNSSVersion_str(myNSSVersions.min),
f92ce9
-                            getNSSVersion_str(myNSSVersions.max));
f92ce9
+                            getNSSVersion_str(slapdNSSVersions.min),
f92ce9
+                            getNSSVersion_str(slapdNSSVersions.max));
f92ce9
         }
f92ce9
     } else {
f92ce9
 #endif
f92ce9
@@ -1904,6 +1966,36 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
f92ce9
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
f92ce9
     }
f92ce9
 #endif
f92ce9
+    val = slapi_entry_attr_get_charptr(e, "allowWeakCipher");
f92ce9
+    if (val) {
f92ce9
+        if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || 
f92ce9
+                !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
f92ce9
+            allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
f92ce9
+        } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") || 
f92ce9
+                !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
f92ce9
+            allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
f92ce9
+        } else {
f92ce9
+            slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.",
f92ce9
+                           "Ignoring it and set it to default.", val, configDN);
f92ce9
+        }
f92ce9
+    }
f92ce9
+    slapi_ch_free((void **) &val;;
f92ce9
+
f92ce9
+    /* Set SSL cipher preferences */
f92ce9
+    *cipher_string = 0;
f92ce9
+    if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank"))
f92ce9
+         PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
f92ce9
+    slapi_ch_free((void **) &ciphers);
f92ce9
+
f92ce9
+    if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
f92ce9
+        errorCode = PR_GetError();
f92ce9
+        slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
f92ce9
+            "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", 
f92ce9
+            val, errorCode, slapd_pr_strerror(errorCode));
f92ce9
+        rv = 3;
f92ce9
+        slapi_ch_free((void **) &val;;
f92ce9
+    }
f92ce9
+
f92ce9
     freeConfigEntry( &e );
f92ce9
 
f92ce9
     if(( slapd_SSLclientAuth = config_get_SSLclientAuth()) != SLAPD_SSLCLIENTAUTH_OFF ) {
f92ce9
-- 
f92ce9
1.9.3
f92ce9