zrhoffman / rpms / 389-ds-base

Forked from rpms/389-ds-base 3 years ago
Clone

Blame SOURCES/0030-Ticket-47928-Disable-SSL-v3-by-default.patch

f92ce9
From c2bb6286434ea3bb87d454a8c9451dcc8f278297 Mon Sep 17 00:00:00 2001
f92ce9
From: Noriko Hosoi <nhosoi@redhat.com>
f92ce9
Date: Thu, 13 Nov 2014 12:14:48 -0800
f92ce9
Subject: [PATCH 30/30] Ticket #47928 - Disable SSL v3, by default.
f92ce9
f92ce9
Description:
f92ce9
Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
f92ce9
In dn: cn=encryption,cn=config,
f92ce9
0) Setting no SSL version attrs (using defaults); supported max is TLS1.2
f92ce9
   ==>
f92ce9
   SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
f92ce9
f92ce9
1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2
f92ce9
   sslVersionMin: TLS1.0
f92ce9
   sslVersionMax: TLS1.3
f92ce9
   nsSSL3: off
f92ce9
   nsTLS1: on
f92ce9
   ==>
f92ce9
   SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
f92ce9
2) Setting new SSL version attrs; supported max is TLS1.2
f92ce9
   sslVersionMin: TLS1.0
f92ce9
   sslVersionMax: TLS1.3
f92ce9
   ==>
f92ce9
   SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
f92ce9
f92ce9
3) Setting old/new SSL version attrs; conflict (new min is stricter); supported max is TLS1.2
f92ce9
   nsSSL3: on
f92ce9
   sslVersionMin: TLS1.0
f92ce9
   ==>
f92ce9
   SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to dis
f92ce9
   able nsSSL3 in cn=encryption,cn=config.
f92ce9
   SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1
f92ce9
    are on. Respect the supported range.
f92ce9
   SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
f92ce9
f92ce9
4) Setting old/new SSL version attrs; conflict (old min is stricter); supported max is TLS1.2
f92ce9
   nsSSL3: off
f92ce9
   sslVersionMin: SSL3
f92ce9
   sslVersionMax: SSL3
f92ce9
   ==>
f92ce9
   SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring
f92ce9
    the version range as default min: TLS1.0, max: TLS1.2.
f92ce9
   SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
f92ce9
f92ce9
5) Setting old/new SSL version attrs; no conflict; setting SSL3
f92ce9
   nsSSL3: on
f92ce9
   nsTLS1: off
f92ce9
   sslVersionMin: SSL3
f92ce9
   sslVersionMax: SSL3
f92ce9
   ==>
f92ce9
   SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable
f92ce9
   nsSSL3 in cn=encryption,cn=config.
f92ce9
   SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly recommend
f92ce9
   to set sslVersionMin higher than TLS1.0.
f92ce9
   SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3
f92ce9
f92ce9
https://fedorahosted.org/389/ticket/47928
f92ce9
f92ce9
Reviewed by mreynolds@redhat.com (Thank you, Mark!!)
f92ce9
f92ce9
(cherry picked from commit ad7885eae64a2085a89d516c1106b578142be502)
f92ce9
(cherry picked from commit 3e7321ba1641234651fbf1e8fc01bf9fbecbc696)
f92ce9
---
f92ce9
 ldap/servers/slapd/fedse.c |  2 +-
f92ce9
 ldap/servers/slapd/ssl.c   | 74 ++++++++++++++++++++++++++--------------------
f92ce9
 2 files changed, 43 insertions(+), 33 deletions(-)
f92ce9
f92ce9
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
f92ce9
index 87f45a1..d10fb3e 100644
f92ce9
--- a/ldap/servers/slapd/fedse.c
f92ce9
+++ b/ldap/servers/slapd/fedse.c
f92ce9
@@ -110,7 +110,7 @@ static const char *internal_entries[] =
f92ce9
     "cn:encryption\n"
f92ce9
 	"nsSSLSessionTimeout:0\n"
f92ce9
 	"nsSSLClientAuth:allowed\n"
f92ce9
-	"sslVersionMin:tls1.1\n",
f92ce9
+	"sslVersionMin:TLS1.0\n",
f92ce9
 
f92ce9
     "dn:cn=monitor\n"
f92ce9
     "objectclass:top\n"
f92ce9
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
f92ce9
index 5d6919a..6b51e0c 100644
f92ce9
--- a/ldap/servers/slapd/ssl.c
f92ce9
+++ b/ldap/servers/slapd/ssl.c
f92ce9
@@ -87,13 +87,23 @@
f92ce9
 /* TLS1.1 is defined in RFC4346. */
f92ce9
 #define NSS_TLS11 1
f92ce9
 #else
f92ce9
-/* 
f92ce9
- * TLS1.0 is defined in RFC2246.
f92ce9
- * Close to SSL 3.0.
f92ce9
- */
f92ce9
 #define NSS_TLS10 1
f92ce9
 #endif
f92ce9
 
f92ce9
+/******************************************************************************
f92ce9
+ * Default SSL Version Rule
f92ce9
+ * Old SSL version attributes:
f92ce9
+ *   nsSSL3: off -- nsSSL3 == SSL_LIBRARY_VERSION_3_0
f92ce9
+ *   nsTLS1: on  -- nsTLS1 == SSL_LIBRARY_VERSION_TLS_1_0 and greater
f92ce9
+ *   Note: TLS1.0 is defined in RFC2246, which is close to SSL 3.0.
f92ce9
+ * New SSL version attributes:
f92ce9
+ *   sslVersionMin: TLS1.0
f92ce9
+ *   sslVersionMax: max ssl version supported by NSS
f92ce9
+ ******************************************************************************/
f92ce9
+
f92ce9
+#define DEFVERSION "TLS1.0"
f92ce9
+#define CURRENT_DEFAULT_SSL_VERSION SSL_LIBRARY_VERSION_TLS_1_0
f92ce9
+
f92ce9
 extern char* slapd_SSL3ciphers;
f92ce9
 extern symbol_t supported_ciphers[];
f92ce9
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
f92ce9
@@ -253,12 +263,12 @@ static lookup_cipher _lookup_cipher[] = {
f92ce9
 PRBool enableSSL2 = PR_FALSE;
f92ce9
 /*
f92ce9
  * nsSSL3: on -- disable SSLv3 by default.
f92ce9
- * Corresonding to SSL_LIBRARY_VERSION_3_0 and SSL_LIBRARY_VERSION_TLS_1_0 
f92ce9
+ * Corresonding to SSL_LIBRARY_VERSION_3_0
f92ce9
  */
f92ce9
 PRBool enableSSL3 = PR_FALSE;
f92ce9
 /*
f92ce9
  * nsTLS1: on -- enable TLS1 by default.
f92ce9
- * Corresonding to SSL_LIBRARY_VERSION_TLS_1_1 and greater.
f92ce9
+ * Corresonding to SSL_LIBRARY_VERSION_TLS_1_0 and greater.
f92ce9
  */
f92ce9
 PRBool enableTLS1 = PR_TRUE;
f92ce9
 
f92ce9
@@ -927,14 +937,14 @@ restrict_SSLVersionRange(void)
f92ce9
         slapd_SSL_warn("Found unsecure configuration: nsSSL3: on; "
f92ce9
                        "We strongly recommend to disable nsSSL3 in %s.", configDN);
f92ce9
         if (enableTLS1) {
f92ce9
-            if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
+            if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
f92ce9
                 slapd_SSL_warn("Configured range: min: %s, max: %s; "
f92ce9
                                "but both nsSSL3 and nsTLS1 are on. "
f92ce9
                                "Respect the supported range.",
f92ce9
                                mymin, mymax);
f92ce9
                 enableSSL3 = PR_FALSE;
f92ce9
             }
f92ce9
-            if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
f92ce9
+            if (slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
f92ce9
                 slapd_SSL_warn("Configured range: min: %s, max: %s; "
f92ce9
                                "but both nsSSL3 and nsTLS1 are on. "
f92ce9
                                "Resetting the max to the supported max SSL version: %s.",
f92ce9
@@ -943,7 +953,7 @@ restrict_SSLVersionRange(void)
f92ce9
             }
f92ce9
         } else {
f92ce9
             /* nsTLS1 is explicitly set to off. */
f92ce9
-            if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
+            if (enabledNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
f92ce9
                 slapd_SSL_warn("Supported range: min: %s, max: %s; "
f92ce9
                                "but nsSSL3 is on and nsTLS1 is off. "
f92ce9
                                "Respect the supported range.",
f92ce9
@@ -951,20 +961,20 @@ restrict_SSLVersionRange(void)
f92ce9
                 slapdNSSVersions.min = SSLVGreater(slapdNSSVersions.min, enabledNSSVersions.min);
f92ce9
                 enableSSL3 = PR_FALSE;
f92ce9
                 enableTLS1 = PR_TRUE;
f92ce9
-            } else if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) { 
f92ce9
+            } else if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) { 
f92ce9
                 slapd_SSL_warn("Configured range: min: %s, max: %s; "
f92ce9
                                "but nsSSL3 is on and nsTLS1 is off. "
f92ce9
                                "Respect the configured range.",
f92ce9
                                mymin, mymax);
f92ce9
                 enableSSL3 = PR_FALSE;
f92ce9
                 enableTLS1 = PR_TRUE;
f92ce9
-            } else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
f92ce9
+            } else if (slapdNSSVersions.min < CURRENT_DEFAULT_SSL_VERSION) {
f92ce9
                 slapd_SSL_warn("Too low configured range: min: %s, max: %s; "
f92ce9
-                               "We strongly recommend to set sslVersionMax higher than %s.",
f92ce9
-                               mymin, mymax, emax);
f92ce9
+                               "We strongly recommend to set sslVersionMin higher than %s.",
f92ce9
+                               mymin, mymax, DEFVERSION);
f92ce9
             } else {
f92ce9
                 /* 
f92ce9
-                 * slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&
f92ce9
+                 * slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_0 &&
f92ce9
                  * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1
f92ce9
                  */
f92ce9
                 slapd_SSL_warn("Configured range: min: %s, max: %s; "
f92ce9
@@ -976,7 +986,7 @@ restrict_SSLVersionRange(void)
f92ce9
         }
f92ce9
     } else {
f92ce9
         if (enableTLS1) {
f92ce9
-            if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
f92ce9
+            if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
f92ce9
                 /* TLS1 is on, but TLS1 is not supported by NSS.  */
f92ce9
                 slapd_SSL_warn("Supported range: min: %s, max: %s; "
f92ce9
                                "Setting the version range based upon the supported range.",
f92ce9
@@ -985,17 +995,17 @@ restrict_SSLVersionRange(void)
f92ce9
                 slapdNSSVersions.min = enabledNSSVersions.min;
f92ce9
                 enableSSL3 = PR_TRUE;
f92ce9
                 enableTLS1 = PR_FALSE;
f92ce9
-            } else if ((slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) ||
f92ce9
-                       (slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_1)) {
f92ce9
+            } else if ((slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) ||
f92ce9
+                       (slapdNSSVersions.min < CURRENT_DEFAULT_SSL_VERSION)) {
f92ce9
                 slapdNSSVersions.max = enabledNSSVersions.max;
f92ce9
-                slapdNSSVersions.min = SSLVGreater(SSL_LIBRARY_VERSION_TLS_1_1, enabledNSSVersions.min);
f92ce9
-                slapd_SSL_warn("Default SSL Version settings; "
f92ce9
-                               "Configuring the version range as min: %s, max: %s; ",
f92ce9
-                               mymin, mymax);
f92ce9
+                slapdNSSVersions.min = SSLVGreater(CURRENT_DEFAULT_SSL_VERSION, enabledNSSVersions.min);
f92ce9
+                slapd_SSL_warn("nsTLS1 is on, but the version range is lower than \"%s\"; "
f92ce9
+                               "Configuring the version range as default min: %s, max: %s.",
f92ce9
+                               DEFVERSION, DEFVERSION, emax);
f92ce9
             } else {
f92ce9
                 /* 
f92ce9
-                 * slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_1 &&
f92ce9
-                 * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1
f92ce9
+                 * slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_0 &&
f92ce9
+                 * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_0
f92ce9
                  */
f92ce9
                 ;
f92ce9
             }
f92ce9
@@ -1004,14 +1014,14 @@ restrict_SSLVersionRange(void)
f92ce9
                            "Respect the configured range.",
f92ce9
                            emin, emax);
f92ce9
             /* nsTLS1 is explicitly set to off. */
f92ce9
-            if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
+            if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
f92ce9
                 enableTLS1 = PR_TRUE;
f92ce9
-            } else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
f92ce9
+            } else if (slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
f92ce9
                 enableSSL3 = PR_TRUE;
f92ce9
             } else {
f92ce9
                 /* 
f92ce9
-                 * slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&
f92ce9
-                 * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1
f92ce9
+                 * slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_0 &&
f92ce9
+                 * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_0
f92ce9
                  */
f92ce9
                 enableSSL3 = PR_TRUE;
f92ce9
                 enableTLS1 = PR_TRUE;
f92ce9
@@ -1434,17 +1444,17 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
         sscanf(vp, "%4f", &tlsv);
f92ce9
         if (tlsv < 1.1) { /* TLS1.0 */
f92ce9
             if (ismin) {
f92ce9
-                if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
+                if (enabledNSSVersions.min > CURRENT_DEFAULT_SSL_VERSION) {
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
f92ce9
                                    "\"%s\" is lower than the supported version; "
f92ce9
                                    "the default value \"%s\" is used.",
f92ce9
                                    val, emin);
f92ce9
                    (*rval) = enabledNSSVersions.min;
f92ce9
                 } else {
f92ce9
-                   (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
f92ce9
+                   (*rval) = CURRENT_DEFAULT_SSL_VERSION;
f92ce9
                 }
f92ce9
             } else {
f92ce9
-                if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
+                if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
f92ce9
                     /* never happens */
f92ce9
                     slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
f92ce9
                                    "\"%s\" is higher than the supported version; "
f92ce9
@@ -1452,7 +1462,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
f92ce9
                                    val, emax);
f92ce9
                     (*rval) = enabledNSSVersions.max;
f92ce9
                 } else {
f92ce9
-                    (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
f92ce9
+                    (*rval) = CURRENT_DEFAULT_SSL_VERSION;
f92ce9
                 }
f92ce9
             }
f92ce9
         } else if (tlsv < 1.2) { /* TLS1.1 */
f92ce9
@@ -1906,7 +1916,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
f92ce9
             } else {
f92ce9
                 enableTLS1 = slapi_entry_attr_get_bool( e, "nsTLS1" );
f92ce9
             }
f92ce9
-        } else if (enabledNSSVersions.max > SSL_LIBRARY_VERSION_TLS_1_0) {
f92ce9
+        } else if (enabledNSSVersions.max >= CURRENT_DEFAULT_SSL_VERSION) {
f92ce9
             enableTLS1 = PR_TRUE; /* If available, enable TLS1 */
f92ce9
         }
f92ce9
         slapi_ch_free_string( &val );
f92ce9
-- 
f92ce9
1.9.3
f92ce9