From 7c4efde501b8af0469ff15602d8d046657dec4aa Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Tue, 10 May 2016 14:41:10 -0700 Subject: [PATCH 400/404] Ticket #48816 - (1.2.11 only) add a nsTLS1.0 on or off new configuration parameter to cn=encryption,cn=config in RHEL 6 389-ds-base Description: 389-ds-base-1.2.11 has no way to disable TLS1.0. This patch is adding config params nsTLS10, nsTLS11 and nsTLS12 to cn=encryption,cn=config so that the definition of nsTLS1 remains intact if the new parameters are not specified explicitely. If nsTLS10, nsTLS11 or nsTLS12 appear in the config entry, nsTLS1 is ignored and the new parameters are added. Default values: nsTLS1: on nsTLS10,nsTLS11,nsTLS12: ignored Examples: cn=encryption,cn=config [no SSL version settings] ==> sslVersionMin: TLS1.0 cn=encryption,cn=config nsTLS1: on ==> sslVersionMin: TLS1.0 cn=encryption,cn=config nsTLS1: on | off nsTLS10: on ==> sslVersionMin: TLS1.0 ==> Note: nsTLS1 is ignored. cn=encryption,cn=config nsTLS11: on ==> sslVersionMin: TLS1.1 cn=encryption,cn=config nsTLS12: on ==> sslVersionMin: TLS1.2 Special cases: If all SSL version config parameters are off, SSL fails to configure. cn=encryption,cn=config nsTLS10: off nsTLS11: off nsTLS12: off nsTLS1: off ==> SSL configuration fails. ==> Note: nsSSL3 is off by default. cn=encryption,cn=config nsTLS10: on nsTLS12: off ==> sslVersionMin: TLS1.0 ==> Note: nsTLS12 is ignored. Even if off is set to the higher SSL version as in this example, it is not used as sslVersionMax, but it is ignored. https://fedorahosted.org/389/ticket/48816 Thanks so much for the ideas, comments and discussions, William, Ludwig, and Mark!! Final review was made by wibrown@redhat.com (Thank you, William!!) (cherry picked from commit 6111400a7b21785823e16b1071fc29bc21542213) --- ldap/schema/01core389.ldif | 5 +++- ldap/servers/slapd/ssl.c | 71 +++++++++++++++++++++++++++++++++++++++------- 2 files changed, 65 insertions(+), 11 deletions(-) diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif index c962dc0..afa4ee6 100644 --- a/ldap/schema/01core389.ldif +++ b/ldap/schema/01core389.ldif @@ -119,6 +119,9 @@ attributeTypes: ( nsKeyfile-oid NAME 'nsKeyfile' DESC 'Netscape defined attribut attributeTypes: ( nsSSL2-oid NAME 'nsSSL2' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsSSL3-oid NAME 'nsSSL3' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsTLS1-oid NAME 'nsTLS1' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) +attributeTypes: ( nsTLS10-oid NAME 'nsTLS10' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) +attributeTypes: ( nsTLS11-oid NAME 'nsTLS11' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) +attributeTypes: ( nsTLS12-oid NAME 'nsTLS12' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsSSLClientAuth-oid NAME 'nsSSLClientAuth' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsSSLSessionTimeout-oid NAME 'nsSSLSessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsSSL3SessionTimeout-oid NAME 'nsSSL3SessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) @@ -172,5 +175,5 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' ) -objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' ) +objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsTLS10 $ nsTLS11 $ nsTLS12 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' ) objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' ) diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index 090c328..37a176f 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -1058,6 +1058,9 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS) Slapi_Entry *e = NULL; PRBool enableSSL2 = PR_FALSE; PRBool enableSSL3 = PR_FALSE; + int enableTLS10 = -1; + int enableTLS11 = -1; + int enableTLS12 = -1; PRBool enableTLS1 = PR_TRUE; PRBool fipsMode = PR_FALSE; #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ @@ -1414,6 +1417,39 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS) } } slapi_ch_free_string( &val ); + val = slapi_entry_attr_get_charptr( e, "nsTLS10" ); + if ( val ) { + if ( !strcasecmp( val, "off" ) ) { + enableTLS10 = 0; + } else if ( !strcasecmp( val, "on" ) ) { + enableTLS10 = 1; + } else { + enableTLS10 = slapi_entry_attr_get_bool(e, "nsTLS10")?1:0; + } + } + slapi_ch_free_string( &val ); + val = slapi_entry_attr_get_charptr( e, "nsTLS11" ); + if ( val ) { + if ( !strcasecmp( val, "off" ) ) { + enableTLS11 = 0; + } else if ( !strcasecmp( val, "on" ) ) { + enableTLS11 = 1; + } else { + enableTLS11 = slapi_entry_attr_get_bool(e, "nsTLS11")?1:0; + } + } + slapi_ch_free_string( &val ); + val = slapi_entry_attr_get_charptr( e, "nsTLS12" ); + if ( val ) { + if ( !strcasecmp( val, "off" ) ) { + enableTLS12 = 0; + } else if ( !strcasecmp( val, "on" ) ) { + enableTLS12 = 1; + } else { + enableTLS12 = slapi_entry_attr_get_bool(e, "nsTLS12")?1:0; + } + } + slapi_ch_free_string( &val ); val = slapi_entry_attr_get_charptr( e, "nsTLS1" ); if ( val ) { if ( !strcasecmp( val, "off" ) ) { @@ -1430,25 +1466,40 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS) #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ if (NSSVersionMin > 0) { char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH]; + NSSVersionMax = enabledNSSVersions.max; /* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */ - if (enableTLS1) { + if ((enableTLS10 >= 0) || (enableTLS11 >= 0) || (enableTLS12 >= 0)) { + if (enableTLS10 > 0) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; + } else if (enableTLS11 > 0) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_1; + } else if (enableTLS12 > 0) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_2; + } else if (enableTLS1) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; + } else if (enableSSL3) { + NSSVersionMin = SSL_LIBRARY_VERSION_3_0; + NSSVersionMax = SSL_LIBRARY_VERSION_3_0; + } else { + slapd_SSL_error("SSL Initialization 2: all SSL version parameters are off. " + "Enable nsTLS1 or nsTLS10, nsTLS11, nsTLS12."); + return 0; + } + } else if (enableTLS1) { NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; - } else { + } else if (enableSSL3) { NSSVersionMin = SSL_LIBRARY_VERSION_3_0; NSSVersionMax = SSL_LIBRARY_VERSION_3_0; - } - if (enableSSL3) { - NSSVersionMin = SSL_LIBRARY_VERSION_3_0; - } else if (!enableTLS1) { - slapd_SSL_error("SSL Initialization 2: Both nsSSL3 and nsTLS1 are off. Enabling nsTLS1."); - NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; - NSSVersionMax = enabledNSSVersions.max; + } else { + slapd_SSL_error("SSL Initialization 2: all SSL version parameters are off. " + "Enable nsTLS1 or nsTLS10, nsTLS11, nsTLS12."); + return 0; } slapdNSSVersions.min = NSSVersionMin; slapdNSSVersions.max = NSSVersionMax; (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin)); (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax)); - slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization", + slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization", "Configured SSL version range: min: %s, max: %s\n", mymin, mymax); sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions); -- 2.4.11