andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame SOURCES/0027-Ticket-47945-Add-SSL-TLS-version-info-to-the-access-.patch

f92ce9
From e7c71a8c3a361fa7cbf96a0c57723c74d044922a Mon Sep 17 00:00:00 2001
f92ce9
From: Noriko Hosoi <nhosoi@redhat.com>
f92ce9
Date: Mon, 10 Nov 2014 13:51:34 -0800
f92ce9
Subject: [PATCH 27/28] Ticket #47945 - Add SSL/TLS version info to the access
f92ce9
 log
f92ce9
f92ce9
Description: Added the currently used SSL library version info per
f92ce9
connection to the access log.
f92ce9
Sample output:
f92ce9
  SSL
f92ce9
  [..] conn=3 fd=64 slot=64 SSL connection from ::1 to ::1
f92ce9
  [..] conn=3 TLS1.2 128-bit AES-GCM
f92ce9
f92ce9
  startTLS
f92ce9
  [..] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
f92ce9
  [..] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0
f92ce9
  [..] conn=4 TLS1.2 128-bit AES-GCM
f92ce9
f92ce9
To convert the SSL version number to string (e.g., SSL_LIBRARY_VERSION_
f92ce9
TLS_1_2 --> "TLS1.2"), instead of maintaining a mapping table, this
f92ce9
patch calculates the number and generates the version string.
f92ce9
f92ce9
https://fedorahosted.org/389/ticket/47945
f92ce9
f92ce9
Reviewed and adviced by rmeggins@redhat.com (Thanks a lot, Rich!!)
f92ce9
f92ce9
(cherry picked from commit a2e0de3aa90f04593427628afeb7fe090dac93fb)
f92ce9
(cherry picked from commit 0d1087d0c4dc9b6af3a01776ae11e0977c447fb7)
f92ce9
---
f92ce9
 ldap/servers/slapd/auth.c          |  85 +++++++++-------
f92ce9
 ldap/servers/slapd/slapi-private.h |  19 ++++
f92ce9
 ldap/servers/slapd/ssl.c           | 194 ++++++++++++++++++++-----------------
f92ce9
 3 files changed, 174 insertions(+), 124 deletions(-)
f92ce9
f92ce9
diff --git a/ldap/servers/slapd/auth.c b/ldap/servers/slapd/auth.c
f92ce9
index 5b7dc31..0219576 100644
f92ce9
--- a/ldap/servers/slapd/auth.c
f92ce9
+++ b/ldap/servers/slapd/auth.c
f92ce9
@@ -430,9 +430,10 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
f92ce9
     int keySize = 0;
f92ce9
     char* cipher = NULL;
f92ce9
     char* extraErrorMsg = "";
f92ce9
-	SSLChannelInfo channelInfo;
f92ce9
-	SSLCipherSuiteInfo cipherInfo;
f92ce9
-	char* subject = NULL;
f92ce9
+    SSLChannelInfo channelInfo;
f92ce9
+    SSLCipherSuiteInfo cipherInfo;
f92ce9
+    char* subject = NULL;
f92ce9
+    char sslversion[64];
f92ce9
 
f92ce9
 	if ( (slapd_ssl_getChannelInfo (prfd, &channelInfo, sizeof(channelInfo))) != SECSuccess ) {
f92ce9
 		PRErrorCode errorCode = PR_GetError();
f92ce9
@@ -460,38 +461,48 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
f92ce9
      * to be enough, close the SSL connection. */
f92ce9
     if ( conn->c_flags & CONN_FLAG_START_TLS ) {
f92ce9
         if ( cipherInfo.symKeyBits == 0 ) {
f92ce9
-	        start_tls_graceful_closure( conn, NULL, 1 );
f92ce9
-		goto done;
f92ce9
-	}
f92ce9
+            start_tls_graceful_closure( conn, NULL, 1 );
f92ce9
+            goto done;
f92ce9
+        }
f92ce9
     }
f92ce9
 
f92ce9
     if (config_get_SSLclientAuth() == SLAPD_SSLCLIENTAUTH_OFF ) {
f92ce9
-		slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n",
f92ce9
-				(long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL" );
f92ce9
-		goto done;
f92ce9
-    } 
f92ce9
+        (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion));
f92ce9
+        slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n",
f92ce9
+                (long long unsigned int)conn->c_connid, 
f92ce9
+                sslversion, keySize, cipher ? cipher : "NULL" );
f92ce9
+        goto done;
f92ce9
+    }
f92ce9
     if (clientCert == NULL) {
f92ce9
-	slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n",
f92ce9
-			(long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL" );
f92ce9
+        (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion));
f92ce9
+        slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n",
f92ce9
+                (long long unsigned int)conn->c_connid, 
f92ce9
+                sslversion, keySize, cipher ? cipher : "NULL" );
f92ce9
     } else {
f92ce9
-	subject = subject_of (clientCert);
f92ce9
-	if (!subject) {
f92ce9
-		slapi_log_access( LDAP_DEBUG_STATS,
f92ce9
-		       "conn=%" NSPRIu64 " SSL %i-bit %s; missing subject\n",
f92ce9
-		       (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL");
f92ce9
-		goto done;
f92ce9
-	}
f92ce9
-	{
f92ce9
-	    char* issuer  = issuer_of (clientCert);
f92ce9
-	    char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ];
f92ce9
-	    slapi_log_access( LDAP_DEBUG_STATS,
f92ce9
-		       "conn=%" NSPRIu64 " SSL %i-bit %s; client %s; issuer %s\n",
f92ce9
-		       (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL",
f92ce9
-		       subject ? escape_string( subject, sbuf ) : "NULL",
f92ce9
-		       issuer  ? escape_string( issuer,  ibuf ) : "NULL");
f92ce9
-	    if (issuer) free (issuer);
f92ce9
-	}
f92ce9
-	slapi_dn_normalize (subject);
f92ce9
+        subject = subject_of (clientCert);
f92ce9
+        if (!subject) {
f92ce9
+            (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
f92ce9
+                                                 sslversion, sizeof(sslversion));
f92ce9
+            slapi_log_access( LDAP_DEBUG_STATS,
f92ce9
+                       "conn=%" NSPRIu64 " %s %i-bit %s; missing subject\n",
f92ce9
+                       (long long unsigned int)conn->c_connid, 
f92ce9
+                       sslversion, keySize, cipher ? cipher : "NULL");
f92ce9
+            goto done;
f92ce9
+        }
f92ce9
+        {
f92ce9
+            char* issuer  = issuer_of (clientCert);
f92ce9
+            char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ];
f92ce9
+            (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
f92ce9
+                                                 sslversion, sizeof(sslversion));
f92ce9
+            slapi_log_access( LDAP_DEBUG_STATS,
f92ce9
+                        "conn=%" NSPRIu64 " %s %i-bit %s; client %s; issuer %s\n",
f92ce9
+                        (long long unsigned int)conn->c_connid,
f92ce9
+                        sslversion, keySize, cipher ? cipher : "NULL",
f92ce9
+                        subject ? escape_string( subject, sbuf ) : "NULL",
f92ce9
+                        issuer  ? escape_string( issuer,  ibuf ) : "NULL");
f92ce9
+            if (issuer) free (issuer);
f92ce9
+        }
f92ce9
+        slapi_dn_normalize (subject);
f92ce9
 	{
f92ce9
 	    LDAPMessage* chain = NULL;
f92ce9
 		char *basedn = config_get_basedn();
f92ce9
@@ -525,14 +536,20 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
f92ce9
         sdn = slapi_sdn_new_dn_passin(clientDN);
f92ce9
         clientDN = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
f92ce9
         slapi_sdn_free(&sdn;;
f92ce9
+        (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
f92ce9
+                                             sslversion, sizeof(sslversion));
f92ce9
         slapi_log_access (LDAP_DEBUG_STATS, 
f92ce9
-                          "conn=%" NSPRIu64 " SSL client bound as %s\n",
f92ce9
-                          (long long unsigned int)conn->c_connid, clientDN);
f92ce9
+                          "conn=%" NSPRIu64 " %s client bound as %s\n",
f92ce9
+                          (long long unsigned int)conn->c_connid,
f92ce9
+                          sslversion, clientDN);
f92ce9
     } else if (clientCert != NULL) {
f92ce9
+        (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
f92ce9
+                                             sslversion, sizeof(sslversion));
f92ce9
         slapi_log_access (LDAP_DEBUG_STATS,
f92ce9
-                          "conn=%" NSPRIu64 " SSL failed to map client "
f92ce9
+                          "conn=%" NSPRIu64 " %s failed to map client "
f92ce9
                           "certificate to LDAP DN (%s)\n",
f92ce9
-                          (long long unsigned int)conn->c_connid, extraErrorMsg );
f92ce9
+                          (long long unsigned int)conn->c_connid,
f92ce9
+                          sslversion, extraErrorMsg);
f92ce9
     }
f92ce9
 
f92ce9
 	/*
f92ce9
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
f92ce9
index a8d7738..921c397 100644
f92ce9
--- a/ldap/servers/slapd/slapi-private.h
f92ce9
+++ b/ldap/servers/slapd/slapi-private.h
f92ce9
@@ -1336,6 +1336,25 @@ void add_internal_modifiersname(Slapi_PBlock *pb, Slapi_Entry *e);
f92ce9
 /* ldaputil.c */
f92ce9
 char *ldaputil_get_saslpath();
f92ce9
 
f92ce9
+/* ssl.c */
f92ce9
+/* 
f92ce9
+ * If non NULL buf and positive bufsize is given,
f92ce9
+ * the memory is used to store the version string.
f92ce9
+ * Otherwise, the memory for the string is allocated.
f92ce9
+ * The latter case, caller is responsible to free it.
f92ce9
+ */
f92ce9
+/* vnum is supposed to be in one of the following:
f92ce9
+ * nss3/sslproto.h
f92ce9
+ * #define SSL_LIBRARY_VERSION_2                   0x0002
f92ce9
+ * #define SSL_LIBRARY_VERSION_3_0                 0x0300
f92ce9
+ * #define SSL_LIBRARY_VERSION_TLS_1_0             0x0301
f92ce9
+ * #define SSL_LIBRARY_VERSION_TLS_1_1             0x0302
f92ce9
+ * #define SSL_LIBRARY_VERSION_TLS_1_2             0x0303
f92ce9
+ * #define SSL_LIBRARY_VERSION_TLS_1_3             0x0304
f92ce9
+ * ...
f92ce9
+ */
f92ce9
+char *slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize);
f92ce9
+
f92ce9
 #ifdef __cplusplus
f92ce9
 }
f92ce9
 #endif
f92ce9
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
f92ce9
index f81d1fb..5d6919a 100644
f92ce9
--- a/ldap/servers/slapd/ssl.c
f92ce9
+++ b/ldap/servers/slapd/ssl.c
f92ce9
@@ -99,7 +99,6 @@ extern symbol_t supported_ciphers[];
f92ce9
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
f92ce9
 static SSLVersionRange enabledNSSVersions;
f92ce9
 static SSLVersionRange slapdNSSVersions;
f92ce9
-static char *getNSSVersion_str(PRUint16 vnum);
f92ce9
 #endif
f92ce9
 
f92ce9
 /* dongle_file_name is set in slapd_nss_init when we set the path for the
f92ce9
@@ -246,6 +245,9 @@ static lookup_cipher _lookup_cipher[] = {
f92ce9
     {NULL, NULL}
f92ce9
 };
f92ce9
 
f92ce9
+/* E.g., "SSL3", "TLS1.2", "Unknown SSL version: 0x0" */
f92ce9
+#define VERSION_STR_LENGTH 64
f92ce9
+
f92ce9
 /* Supported SSL versions  */
f92ce9
 /* nsSSL2: on -- we don't allow this any more. */
f92ce9
 PRBool enableSSL2 = PR_FALSE;
f92ce9
@@ -418,8 +420,8 @@ getSSLVersionRange(char **min, char **max)
f92ce9
 #if defined(NSS_TLS10)
f92ce9
     return -1; /* not supported */
f92ce9
 #else /* NSS_TLS11 or newer */
f92ce9
-    *min = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.min));
f92ce9
-    *max = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+    *min = slapi_getSSLVersion_str(slapdNSSVersions.min, NULL, 0);
f92ce9
+    *max = slapi_getSSLVersion_str(slapdNSSVersions.max, NULL, 0);
f92ce9
     return 0;
f92ce9
 #endif
f92ce9
 }
f92ce9
@@ -854,34 +856,48 @@ warn_if_no_key_file(const char *dir, int no_log)
f92ce9
 }
f92ce9
 
f92ce9
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
f92ce9
-typedef struct _nss_version_list {
f92ce9
-    PRUint16 vnum;
f92ce9
-    char* vname;
f92ce9
-} NSSVersion_list;
f92ce9
-NSSVersion_list _NSSVersion_list[] =
f92ce9
-{
f92ce9
-    {SSL_LIBRARY_VERSION_2,       "SSL2"},
f92ce9
-    {SSL_LIBRARY_VERSION_3_0,     "SSL3"},
f92ce9
-    {SSL_LIBRARY_VERSION_TLS_1_0, "TLS1.0"},
f92ce9
-    {SSL_LIBRARY_VERSION_TLS_1_1, "TLS1.1"},
f92ce9
-#if defined(NSS_TLS12)
f92ce9
-    {SSL_LIBRARY_VERSION_TLS_1_2, "TLS1.2"},
f92ce9
-#endif
f92ce9
-    {0, "unknown"}
f92ce9
-};
f92ce9
-
f92ce9
-static char *
f92ce9
-getNSSVersion_str(PRUint16 vnum)
f92ce9
+/* 
f92ce9
+ * If non NULL buf and positive bufsize is given,
f92ce9
+ * the memory is used to store the version string.
f92ce9
+ * Otherwise, the memory for the string is allocated.
f92ce9
+ * The latter case, caller is responsible to free it.
f92ce9
+ */
f92ce9
+char *
f92ce9
+slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize)
f92ce9
 {
f92ce9
-    NSSVersion_list *nvlp = NULL;
f92ce9
-    char *vstr = "none";
f92ce9
-    if (vnum) {
f92ce9
-        for (nvlp = _NSSVersion_list; nvlp && nvlp->vnum; nvlp++) {
f92ce9
-            if (nvlp->vnum == vnum) {
f92ce9
-                vstr = nvlp->vname;
f92ce9
-                break;
f92ce9
+    char *vstr = buf;
f92ce9
+    if (vnum >= SSL_LIBRARY_VERSION_3_0) {
f92ce9
+        if (vnum == SSL_LIBRARY_VERSION_3_0) { /* SSL3 */
f92ce9
+            if (buf && bufsize) { 
f92ce9
+                PR_snprintf(buf, bufsize, "SSL3"); 
f92ce9
+            } else { 
f92ce9
+                vstr = slapi_ch_smprintf("SSL3"); 
f92ce9
+            } 
f92ce9
+        } else { /* TLS v X.Y */
f92ce9
+            const char *TLSFMT = "TLS%d.%d";
f92ce9
+            int minor_offset = 0; /* e.g. 0x0401 -> TLS v 2.1, not 2.0 */
f92ce9
+
f92ce9
+            if ((vnum & SSL_LIBRARY_VERSION_3_0) == SSL_LIBRARY_VERSION_3_0) {
f92ce9
+                minor_offset = 1; /* e.g. 0x0301 -> TLS v 1.0, not 1.1 */
f92ce9
+            }
f92ce9
+            if (buf && bufsize) { 
f92ce9
+                PR_snprintf(buf, bufsize, TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset); 
f92ce9
+            } else { 
f92ce9
+                vstr = slapi_ch_smprintf(TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset); 
f92ce9
             }
f92ce9
         }
f92ce9
+    } else if (vnum == SSL_LIBRARY_VERSION_2) { /* SSL2 */
f92ce9
+        if (buf && bufsize) {
f92ce9
+            PR_snprintf(buf, bufsize, "SSL2");
f92ce9
+        } else {
f92ce9
+            vstr = slapi_ch_smprintf("SSL2");
f92ce9
+        }
f92ce9
+    } else {
f92ce9
+        if (buf && bufsize) {
f92ce9
+            PR_snprintf(buf, bufsize, "Unknown SSL version: 0x%x", vnum); 
f92ce9
+        } else {
f92ce9
+            vstr = slapi_ch_smprintf("Unknown SSL version: 0x%x", vnum);
f92ce9
+        }
f92ce9
     }
f92ce9
     return vstr;
f92ce9
 }
f92ce9
@@ -895,12 +911,16 @@ getNSSVersion_str(PRUint16 vnum)
f92ce9
 static void
f92ce9
 restrict_SSLVersionRange(void)
f92ce9
 {
f92ce9
+    char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
f92ce9
+    char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
f92ce9
+    (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
f92ce9
+    (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
f92ce9
+    (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
f92ce9
+    (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
f92ce9
     if (slapdNSSVersions.min > slapdNSSVersions.max) {
f92ce9
         slapd_SSL_warn("Invalid configured SSL range: min: %s, max: %s; "
f92ce9
                        "Resetting the max to the supported max SSL version: %s.",
f92ce9
-                       getNSSVersion_str(slapdNSSVersions.min),
f92ce9
-                       getNSSVersion_str(slapdNSSVersions.max),
f92ce9
-                       getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+                       mymin, mymax, emax);
f92ce9
         slapdNSSVersions.max = enabledNSSVersions.max;
f92ce9
     }
f92ce9
     if (enableSSL3) {
f92ce9
@@ -911,17 +931,14 @@ restrict_SSLVersionRange(void)
f92ce9
                 slapd_SSL_warn("Configured range: min: %s, max: %s; "
f92ce9
                                "but both nsSSL3 and nsTLS1 are on. "
f92ce9
                                "Respect the supported range.",
f92ce9
-                               getNSSVersion_str(slapdNSSVersions.min),
f92ce9
-                               getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+                               mymin, mymax);
f92ce9
                 enableSSL3 = PR_FALSE;
f92ce9
             }
f92ce9
             if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
f92ce9
                 slapd_SSL_warn("Configured range: min: %s, max: %s; "
f92ce9
                                "but both nsSSL3 and nsTLS1 are on. "
f92ce9
                                "Resetting the max to the supported max SSL version: %s.",
f92ce9
-                               getNSSVersion_str(slapdNSSVersions.min),
f92ce9
-                               getNSSVersion_str(slapdNSSVersions.max),
f92ce9
-                               getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+                               mymin, mymax, emax);
f92ce9
                 slapdNSSVersions.max = enabledNSSVersions.max;
f92ce9
             }
f92ce9
         } else {
f92ce9
@@ -930,8 +947,7 @@ restrict_SSLVersionRange(void)
f92ce9
                 slapd_SSL_warn("Supported range: min: %s, max: %s; "
f92ce9
                                "but nsSSL3 is on and nsTLS1 is off. "
f92ce9
                                "Respect the supported range.",
f92ce9
-                               getNSSVersion_str(enabledNSSVersions.min),
f92ce9
-                               getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+                               emin, emax);
f92ce9
                 slapdNSSVersions.min = SSLVGreater(slapdNSSVersions.min, enabledNSSVersions.min);
f92ce9
                 enableSSL3 = PR_FALSE;
f92ce9
                 enableTLS1 = PR_TRUE;
f92ce9
@@ -939,19 +955,13 @@ restrict_SSLVersionRange(void)
f92ce9
                 slapd_SSL_warn("Configured range: min: %s, max: %s; "
f92ce9
                                "but nsSSL3 is on and nsTLS1 is off. "
f92ce9
                                "Respect the configured range.",
f92ce9
-                               getNSSVersion_str(slapdNSSVersions.min),
f92ce9
-                               getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+                               mymin, mymax);
f92ce9
                 enableSSL3 = PR_FALSE;
f92ce9
                 enableTLS1 = PR_TRUE;
f92ce9
             } else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
f92ce9
                 slapd_SSL_warn("Too low configured range: min: %s, max: %s; "
f92ce9
-                               "Resetting the range to: min: %s, max: %s.",
f92ce9
-                               getNSSVersion_str(slapdNSSVersions.min),
f92ce9
-                               getNSSVersion_str(slapdNSSVersions.max),
f92ce9
-                               getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0),
f92ce9
-                               getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0));
f92ce9
-                slapdNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
f92ce9
-                slapdNSSVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
f92ce9
+                               "We strongly recommend to set sslVersionMax higher than %s.",
f92ce9
+                               mymin, mymax, emax);
f92ce9
             } else {
f92ce9
                 /* 
f92ce9
                  * slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&
f92ce9
@@ -960,8 +970,7 @@ restrict_SSLVersionRange(void)
f92ce9
                 slapd_SSL_warn("Configured range: min: %s, max: %s; "
f92ce9
                                "but nsSSL3 is on and nsTLS1 is off. "
f92ce9
                                "Respect the configured range.",
f92ce9
-                               getNSSVersion_str(slapdNSSVersions.min),
f92ce9
-                               getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+                               mymin, mymax);
f92ce9
                 enableTLS1 = PR_TRUE;
f92ce9
             }
f92ce9
         }
f92ce9
@@ -971,8 +980,7 @@ restrict_SSLVersionRange(void)
f92ce9
                 /* TLS1 is on, but TLS1 is not supported by NSS.  */
f92ce9
                 slapd_SSL_warn("Supported range: min: %s, max: %s; "
f92ce9
                                "Setting the version range based upon the supported range.",
f92ce9
-                               getNSSVersion_str(enabledNSSVersions.min),
f92ce9
-                               getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+                               emin, emax);
f92ce9
                 slapdNSSVersions.max = enabledNSSVersions.max;
f92ce9
                 slapdNSSVersions.min = enabledNSSVersions.min;
f92ce9
                 enableSSL3 = PR_TRUE;
f92ce9
@@ -983,8 +991,7 @@ restrict_SSLVersionRange(void)
f92ce9
                 slapdNSSVersions.min = SSLVGreater(SSL_LIBRARY_VERSION_TLS_1_1, enabledNSSVersions.min);
f92ce9
                 slapd_SSL_warn("Default SSL Version settings; "
f92ce9
                                "Configuring the version range as min: %s, max: %s; ",
f92ce9
-                               getNSSVersion_str(slapdNSSVersions.min),
f92ce9
-                               getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+                               mymin, mymax);
f92ce9
             } else {
f92ce9
                 /* 
f92ce9
                  * slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_1 &&
f92ce9
@@ -995,8 +1002,7 @@ restrict_SSLVersionRange(void)
f92ce9
         } else {
f92ce9
             slapd_SSL_warn("Supported range: min: %s, max: %s; "
f92ce9
                            "Respect the configured range.",
f92ce9
-                           getNSSVersion_str(enabledNSSVersions.min),
f92ce9
-                           getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+                           emin, emax);
f92ce9
             /* nsTLS1 is explicitly set to off. */
f92ce9
             if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
                 enableTLS1 = PR_TRUE;
f92ce9
@@ -1040,13 +1046,15 @@ slapd_nss_init(int init_ssl, int config_available)
f92ce9
 	char *keydb_file_name = NULL;
f92ce9
 	char *secmoddb_file_name = NULL;
f92ce9
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
f92ce9
+	char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
f92ce9
 	/* Get the range of the supported SSL version */
f92ce9
 	SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
f92ce9
 	
f92ce9
+	(void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
f92ce9
+	(void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
f92ce9
 	slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization",
f92ce9
 	                "supported range by NSS: min: %s, max: %s\n",
f92ce9
-	                getNSSVersion_str(enabledNSSVersions.min),
f92ce9
-	                getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+	                emin, emax);
f92ce9
 #endif
f92ce9
 
f92ce9
 	/* set in slapd_bootstrap_config,
f92ce9
@@ -1351,34 +1359,37 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
 {
f92ce9
     char *vp, *endp;
f92ce9
     int vnum;
f92ce9
+    char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
f92ce9
 
f92ce9
     if (NULL == rval) {
f92ce9
         return 1;
f92ce9
     }
f92ce9
+    (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
f92ce9
+    (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
f92ce9
     if (!strncasecmp(val, SSLSTR, SSLLEN)) { /* ssl# */
f92ce9
         vp = val + SSLLEN;
f92ce9
         vnum = strtol(vp, &endp, 10);
f92ce9
         if (2 == vnum) {
f92ce9
             if (ismin) {
f92ce9
                 if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_2) {
f92ce9
-                   slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
-                                  "\"%s\" is lower than the supported version; "
f92ce9
-                                  "the default value \"%s\" is used.",
f92ce9
-                                  val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
-                   (*rval) = enabledNSSVersions.min;
f92ce9
+                    slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
+                                   "\"%s\" is lower than the supported version; "
f92ce9
+                                   "the default value \"%s\" is used.",
f92ce9
+                                   val, emin);
f92ce9
+                    (*rval) = enabledNSSVersions.min;
f92ce9
                 } else {
f92ce9
-                   (*rval) = SSL_LIBRARY_VERSION_2;
f92ce9
+                    (*rval) = SSL_LIBRARY_VERSION_2;
f92ce9
                 }
f92ce9
             } else {
f92ce9
                 if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_2) {
f92ce9
                     /* never happens */
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
-                                   "\"%s\" is higher than the supported version; "
f92ce9
-                                   "the default value \"%s\" is used.",
f92ce9
-                                   val, getNSSVersion_str(enabledNSSVersions.max));
f92ce9
-                   (*rval) = enabledNSSVersions.max;
f92ce9
+                                    "\"%s\" is higher than the supported version; "
f92ce9
+                                    "the default value \"%s\" is used.",
f92ce9
+                                    val, emax);
f92ce9
+                    (*rval) = enabledNSSVersions.max;
f92ce9
                 } else {
f92ce9
-                   (*rval) = SSL_LIBRARY_VERSION_2;
f92ce9
+                    (*rval) = SSL_LIBRARY_VERSION_2;
f92ce9
                 }
f92ce9
             }
f92ce9
         } else if (3 == vnum) {
f92ce9
@@ -1387,7 +1398,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                    "\"%s\" is lower than the supported version; "
f92ce9
                                    "the default value \"%s\" is used.",
f92ce9
-                                   val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
+                                   val, emin);
f92ce9
                    (*rval) = enabledNSSVersions.min;
f92ce9
                 } else {
f92ce9
                    (*rval) = SSL_LIBRARY_VERSION_3_0;
f92ce9
@@ -1398,7 +1409,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                    "\"%s\" is higher than the supported version; "
f92ce9
                                    "the default value \"%s\" is used.",
f92ce9
-                                   val, getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+                                   val, emax);
f92ce9
                     (*rval) = enabledNSSVersions.max;
f92ce9
                 } else {
f92ce9
                     (*rval) = SSL_LIBRARY_VERSION_3_0;
f92ce9
@@ -1408,12 +1419,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
             if (ismin) {
f92ce9
                 slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                "\"%s\" is invalid; the default value \"%s\" is used.",
f92ce9
-                               val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
+                               val, emin);
f92ce9
                 (*rval) = enabledNSSVersions.min;
f92ce9
             } else {
f92ce9
                 slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                "\"%s\" is invalid; the default value \"%s\" is used.",
f92ce9
-                               val, getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+                               val, emax);
f92ce9
                 (*rval) = enabledNSSVersions.max;
f92ce9
             }
f92ce9
         }
f92ce9
@@ -1427,7 +1438,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                    "\"%s\" is lower than the supported version; "
f92ce9
                                    "the default value \"%s\" is used.",
f92ce9
-                                   val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
+                                   val, emin);
f92ce9
                    (*rval) = enabledNSSVersions.min;
f92ce9
                 } else {
f92ce9
                    (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
f92ce9
@@ -1438,7 +1449,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                    "\"%s\" is higher than the supported version; "
f92ce9
                                    "the default value \"%s\" is used.",
f92ce9
-                                   val, getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+                                   val, emax);
f92ce9
                     (*rval) = enabledNSSVersions.max;
f92ce9
                 } else {
f92ce9
                     (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
f92ce9
@@ -1450,7 +1461,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                    "\"%s\" is lower than the supported version; "
f92ce9
                                    "the default value \"%s\" is used.",
f92ce9
-                                   val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
+                                   val, emin);
f92ce9
                    (*rval) = enabledNSSVersions.min;
f92ce9
                 } else {
f92ce9
                    (*rval) = SSL_LIBRARY_VERSION_TLS_1_1;
f92ce9
@@ -1461,7 +1472,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                    "\"%s\" is higher than the supported version; "
f92ce9
                                    "the default value \"%s\" is used.",
f92ce9
-                                   val, getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+                                   val, emax);
f92ce9
                     (*rval) = enabledNSSVersions.max;
f92ce9
                 } else {
f92ce9
                     (*rval) = SSL_LIBRARY_VERSION_TLS_1_1;
f92ce9
@@ -1474,7 +1485,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                    "\"%s\" is lower than the supported version; "
f92ce9
                                    "the default value \"%s\" is used.",
f92ce9
-                                   val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
+                                   val, emin);
f92ce9
                    (*rval) = enabledNSSVersions.min;
f92ce9
                 } else {
f92ce9
                    (*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
f92ce9
@@ -1485,7 +1496,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                    "\"%s\" is higher than the supported version; "
f92ce9
                                    "the default value \"%s\" is used.",
f92ce9
-                                   val, getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+                                   val, emax);
f92ce9
                     (*rval) = enabledNSSVersions.max;
f92ce9
                 } else {
f92ce9
                     (*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
f92ce9
@@ -1497,13 +1508,13 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                 slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                "\"%s\" is out of the range of the supported version; "
f92ce9
                                "the default value \"%s\" is used.",
f92ce9
-                               val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
+                               val, emin);
f92ce9
                 (*rval) = enabledNSSVersions.min;
f92ce9
             } else {
f92ce9
                 slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                "\"%s\" is out of the range of the supported version; "
f92ce9
                                "the default value \"%s\" is used.",
f92ce9
-                               val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
+                               val, emax);
f92ce9
                 (*rval) = enabledNSSVersions.max;
f92ce9
             }
f92ce9
         }
f92ce9
@@ -1511,12 +1522,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
         if (ismin) {
f92ce9
             slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                            "\"%s\" is invalid; the default value \"%s\" is used.",
f92ce9
-                           val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
+                           val, emin);
f92ce9
             (*rval) = enabledNSSVersions.min;
f92ce9
         } else {
f92ce9
             slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                            "\"%s\" is invalid; the default value \"%s\" is used.",
f92ce9
-                           val, getNSSVersion_str(enabledNSSVersions.min));
f92ce9
+                           val, emax);
f92ce9
             (*rval) = enabledNSSVersions.max;
f92ce9
         }
f92ce9
     }
f92ce9
@@ -1549,6 +1560,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
f92ce9
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
f92ce9
     PRUint16 NSSVersionMin = enabledNSSVersions.min;
f92ce9
     PRUint16 NSSVersionMax = enabledNSSVersions.max;
f92ce9
+    char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
f92ce9
+    char newmax[VERSION_STR_LENGTH];
f92ce9
 #endif
f92ce9
     char cipher_string[1024];
f92ce9
     int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
f92ce9
@@ -1909,12 +1922,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
f92ce9
         }
f92ce9
         slapi_ch_free_string( &val );
f92ce9
         if (NSSVersionMin > NSSVersionMax) {
f92ce9
+            (void) slapi_getSSLVersion_str(NSSVersionMin, mymin, sizeof(mymin));
f92ce9
+            (void) slapi_getSSLVersion_str(NSSVersionMax, mymax, sizeof(mymax));
f92ce9
             slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\".",
f92ce9
-                           getNSSVersion_str(NSSVersionMin), 
f92ce9
-                           getNSSVersion_str(NSSVersionMax));
f92ce9
+                           mymin, mymax);
f92ce9
+            (void) slapi_getSSLVersion_str(enabledNSSVersions.max, newmax, sizeof(newmax));
f92ce9
             slapd_SSL_warn("Reset the max \"%s\" to supported max \"%s\".",
f92ce9
-                           getNSSVersion_str(NSSVersionMax), 
f92ce9
-                           getNSSVersion_str(enabledNSSVersions.max));
f92ce9
+                           mymax, newmax);
f92ce9
             NSSVersionMax = enabledNSSVersions.max;
f92ce9
         }
f92ce9
 #endif
f92ce9
@@ -1925,18 +1939,18 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
f92ce9
         slapdNSSVersions.min = NSSVersionMin;
f92ce9
         slapdNSSVersions.max = NSSVersionMax;
f92ce9
         restrict_SSLVersionRange();
f92ce9
+        (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
f92ce9
+        (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
f92ce9
         slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
f92ce9
                         "Configured SSL version range: min: %s, max: %s\n",
f92ce9
-                        getNSSVersion_str(slapdNSSVersions.min),
f92ce9
-                        getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+                        mymin, mymax);
f92ce9
         sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);
f92ce9
         if (sslStatus == SECSuccess) {
f92ce9
             /* Set the restricted value to the cn=encryption entry */
f92ce9
         } else {
f92ce9
             slapd_SSL_error("SSL Initialization 2: "
f92ce9
                             "Failed to set SSL range: min: %s, max: %s\n",
f92ce9
-                            getNSSVersion_str(slapdNSSVersions.min),
f92ce9
-                            getNSSVersion_str(slapdNSSVersions.max));
f92ce9
+                            mymin, mymax);
f92ce9
         }
f92ce9
     } else {
f92ce9
 #endif
f92ce9
-- 
f92ce9
1.9.3
f92ce9