Blame SOURCES/0004-Ticket-47838-harden-the-list-of-ciphers-available-by.patch

f92ce9
From 2c550346512bc3dec27c9329f4902663759e4b65 Mon Sep 17 00:00:00 2001
f92ce9
From: Noriko Hosoi <nhosoi@redhat.com>
f92ce9
Date: Thu, 11 Sep 2014 11:46:51 -0700
f92ce9
Subject: [PATCH 4/7] Ticket #47838 - harden the list of ciphers available by
f92ce9
 default
f92ce9
f92ce9
Description:
f92ce9
1. Introducing a new attribute allowWeakCipher in "cn=encryption,cn=config".
f92ce9
   allowWeakCipher: [on | off]
f92ce9
                     on  -- allows weak ciphers.
f92ce9
                            Default setting for user specified ciphers.
f92ce9
                     off -- rejects weak ciphers.
f92ce9
                            Default setting for +all and default.
f92ce9
f92ce9
2. allowWeakCipher is applied only to the user specified cipher suites
f92ce9
   such as "nsSSL3Ciphers: +rsa_rc4_128_md5".
f92ce9
   If allowWeakCipher is enabled and the user specified cipher is weak,
f92ce9
      SSL alert is logged in the error log:
f92ce9
       SSL alert: Cipher rsa_rc4_128_md5 is weak. It is enabled since
f92ce9
       allowWeakCipher is "on" (default setting for the backward compatibility).
f92ce9
       We strongly recommend to set it to "off".  Please replace the value of
f92ce9
       allowWeakCipher with "off" in the encryption config entry cn=encryption,
f92ce9
       cn=config and restart the server.
f92ce9
f92ce9
3. If specified cipher suite is not supported, ignore the cipher suite
f92ce9
   and continue setting ciphers.
f92ce9
f92ce9
https://fedorahosted.org/389/ticket/47838
f92ce9
f92ce9
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
f92ce9
f92ce9
(cherry picked from commit 5f3c87e1380e56d76d4a4bef3af07633a8589891)
f92ce9
(cherry picked from commit 58cb12a7b8cf938c5a4b920c4a1ad1da02fecdb8)
f92ce9
---
f92ce9
 ldap/schema/01core389.ldif |   3 +-
f92ce9
 ldap/servers/slapd/ssl.c   | 262 +++++++++++++++++++++++++++------------------
f92ce9
 2 files changed, 162 insertions(+), 103 deletions(-)
f92ce9
f92ce9
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
f92ce9
index 1b8a70b..c7aec70 100644
f92ce9
--- a/ldap/schema/01core389.ldif
f92ce9
+++ b/ldap/schema/01core389.ldif
f92ce9
@@ -128,6 +128,7 @@ attributeTypes: ( nsSSL3SessionTimeout-oid NAME 'nsSSL3SessionTimeout' DESC 'Net
f92ce9
 attributeTypes: ( nsSSL2Ciphers-oid NAME 'nsSSL2Ciphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
f92ce9
 attributeTypes: ( nsSSL3Ciphers-oid NAME 'nsSSL3Ciphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
f92ce9
 attributeTypes: ( nsSSLSupportedCiphers-oid NAME 'nsSSLSupportedCiphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
f92ce9
+attributeTypes: ( allowWeakCipher-oid NAME 'allowWeakCipher' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
f92ce9
 attributeTypes: ( nsSSLToken-oid NAME 'nsSSLToken' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
f92ce9
 attributeTypes: ( nsSSLPersonalitySSL-oid NAME 'nsSSLPersonalitySSL' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
f92ce9
 attributeTypes: ( nsSSLActivation-oid NAME 'nsSSLActivation' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
f92ce9
@@ -316,7 +317,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC
f92ce9
 objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
f92ce9
 objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' )
f92ce9
 objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
f92ce9
-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers) X-ORIGIN 'Netscape' )
f92ce9
+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher) X-ORIGIN 'Netscape' )
f92ce9
 objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' )
f92ce9
 objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( rootdn-open-time $ rootdn-close-time $ rootdn-days-allowed $ rootdn-allow-host $ rootdn-deny-host $ rootdn-allow-ip $ rootdn-deny-ip ) X-ORIGIN 'Netscape' )
f92ce9
 objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top  MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' )
f92ce9
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
f92ce9
index 1a21df0..03b5904 100644
f92ce9
--- a/ldap/servers/slapd/ssl.c
f92ce9
+++ b/ldap/servers/slapd/ssl.c
f92ce9
@@ -119,7 +119,21 @@ static char * configDN = "cn=encryption,cn=config";
f92ce9
 #define FILE_PATHSEP '/'
f92ce9
 
f92ce9
 /* ----------------------- Multiple cipher support ------------------------ */
f92ce9
-
f92ce9
+/* cipher set flags */
f92ce9
+#define CIPHER_SET_ALL             0x1
f92ce9
+#define CIPHER_SET_NONE            0x0
f92ce9
+#define CIPHER_SET_DEFAULT         0x2
f92ce9
+#define CIPHER_SET_CORE            (CIPHER_SET_ALL|CIPHER_SET_DEFAULT|CIPHER_SET_NONE)
f92ce9
+#define CIPHER_SET_ALLOWWEAKCIPHER 0x10 /* can be or'ed with other CIPHER_SET flags */
f92ce9
+
f92ce9
+#define CIPHER_SET_ISDEFAULT(flag) \
f92ce9
+  ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
f92ce9
+#define CIPHER_SET_ISALL(flag) \
f92ce9
+  ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE)
f92ce9
+#define CIPHER_SET_ALLOWSWEAKCIPHER(flag) \
f92ce9
+  (((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
f92ce9
+#define CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flag) \
f92ce9
+  ((flag)&~CIPHER_SET_ALLOWWEAKCIPHER)
f92ce9
 
f92ce9
 /* flags */
f92ce9
 #define CIPHER_IS_DEFAULT       0x1
f92ce9
@@ -158,7 +172,7 @@ static lookup_cipher _lookup_cipher[] = {
f92ce9
     {"tls_rsa_3des_sha",                    "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
f92ce9
     {"rsa_fips_3des_sha",                   "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
f92ce9
     {"fips_3des_sha",                       "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
f92ce9
-    {"rsa_des_sha",                         "TLS_RSA_WITH_DES_CBC_SHA"},
f92ce9
+    {"rsa_des_sha",                         "SSL_RSA_WITH_DES_CBC_SHA"},
f92ce9
     {"rsa_fips_des_sha",                    "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
f92ce9
     {"fips_des_sha",                        "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, /* ditto */
f92ce9
     {"rsa_rc4_40_md5",                      "TLS_RSA_EXPORT_WITH_RC4_40_MD5"},
f92ce9
@@ -339,21 +353,20 @@ _conf_init_ciphers()
f92ce9
     return;
f92ce9
 }
f92ce9
 
f92ce9
-#define CIPHER_SET_ALL     1
f92ce9
-#define CIPHER_SET_NONE    0
f92ce9
-#define CIPHER_SET_DEFAULT 2
f92ce9
 /*
f92ce9
- * flag: 1 -- enable all
f92ce9
- *       0 -- disable all
f92ce9
- *       2 -- set default ciphers
f92ce9
+ * flag: CIPHER_SET_ALL     -- enable all
f92ce9
+ *       CIPHER_SET_NONE    -- disable all
f92ce9
+ *       CIPHER_SET_DEFAULT -- set default ciphers
f92ce9
+ *       CIPHER_SET_ALLOW_WEAKCIPHER -- allow weak ciphers (can be or'ed with the ather CIPHER_SET flags)
f92ce9
  */  
f92ce9
 static void
f92ce9
 _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
f92ce9
 {
f92ce9
     int x;
f92ce9
     SECStatus rc;
f92ce9
-    PRBool setdefault = (flag == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE;
f92ce9
-    PRBool enabled = (flag == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE;
f92ce9
+    PRBool setdefault = CIPHER_SET_ISDEFAULT(flag);
f92ce9
+    PRBool enabled = CIPHER_SET_ISALL(flag);
f92ce9
+    PRBool allowweakcipher = CIPHER_SET_ALLOWSWEAKCIPHER(flag);
f92ce9
     PRBool setme = PR_FALSE;
f92ce9
     const PRUint16 *implementedCiphers = SSL_GetImplementedCiphers();
f92ce9
 
f92ce9
@@ -361,8 +374,9 @@ _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
f92ce9
 
f92ce9
     for (x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {
f92ce9
         if (_conf_ciphers[x].flags & CIPHER_IS_DEFAULT) {
f92ce9
+            /* certainly, not the first time. */
f92ce9
             setme = PR_TRUE;
f92ce9
-        } else {
f92ce9
+        } else if (setdefault) {
f92ce9
             /* 
f92ce9
              * SSL_CipherPrefGetDefault
f92ce9
              * If the application has not previously set the default preference,
f92ce9
@@ -375,15 +389,16 @@ _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
f92ce9
                     _conf_ciphers[x].name);
f92ce9
                 continue;
f92ce9
             }
f92ce9
-            if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
f92ce9
+            if (!allowweakcipher && (_conf_ciphers[x].flags & CIPHER_IS_WEAK)) {
f92ce9
                 setme = PR_FALSE;
f92ce9
             }
f92ce9
             _conf_ciphers[x].flags |= setme?CIPHER_IS_DEFAULT:0;
f92ce9
-        }
f92ce9
-        if (setdefault) {
f92ce9
-            /* Use the NSS default settings */
f92ce9
         } else if (enabled && !(_conf_ciphers[x].flags & CIPHER_MUST_BE_DISABLED)) {
f92ce9
-            setme = PR_TRUE;
f92ce9
+            if (!allowweakcipher && (_conf_ciphers[x].flags & CIPHER_IS_WEAK)) {
f92ce9
+                setme = PR_FALSE;
f92ce9
+            } else {
f92ce9
+                setme = PR_TRUE;
f92ce9
+            }
f92ce9
         } else {
f92ce9
             setme = PR_FALSE;
f92ce9
         }
f92ce9
@@ -433,7 +448,7 @@ _conf_dumpciphers()
f92ce9
 }
f92ce9
 
f92ce9
 char *
f92ce9
-_conf_setciphers(char *ciphers)
f92ce9
+_conf_setciphers(char *ciphers, int flags)
f92ce9
 {
f92ce9
     char *t, err[MAGNUS_ERROR_LEN];
f92ce9
     int x, i, active;
f92ce9
@@ -445,7 +460,7 @@ _conf_setciphers(char *ciphers)
f92ce9
     /* #47838: harden the list of ciphers available by default */
f92ce9
     /* Default is to activate all of them ==> none of them*/
f92ce9
     if (!ciphers || (ciphers[0] == '\0') || !PL_strcasecmp(ciphers, "default")) {
f92ce9
-        _conf_setallciphers(CIPHER_SET_DEFAULT, NULL, NULL);
f92ce9
+        _conf_setallciphers((CIPHER_SET_DEFAULT|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags)), NULL, NULL);
f92ce9
         slapd_SSL_warn("Security Initialization: Enabling default cipher set.");
f92ce9
         _conf_dumpciphers();
f92ce9
         return NULL;
f92ce9
@@ -458,11 +473,11 @@ _conf_setciphers(char *ciphers)
f92ce9
          * set of ciphers in the table. Right now there is no support for this
f92ce9
          * from the console
f92ce9
          */
f92ce9
-        _conf_setallciphers(CIPHER_SET_ALL, &suplist, NULL);
f92ce9
+        _conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags), &suplist, NULL);
f92ce9
     } else {
f92ce9
         /* If "+all" is not in nsSSL3Ciphers value, disable all first,
f92ce9
          * then enable specified ciphers. */
f92ce9
-        _conf_setallciphers(0 /* disabled */, NULL, NULL);
f92ce9
+        _conf_setallciphers(CIPHER_SET_NONE /* disabled */, NULL, NULL);
f92ce9
     }
f92ce9
 
f92ce9
     t = ciphers;
f92ce9
@@ -482,12 +497,28 @@ _conf_setciphers(char *ciphers)
f92ce9
         if( (t = strchr(ciphers, ',')) )
f92ce9
             *t++ = '\0';
f92ce9
 
f92ce9
-        if(strcasecmp(ciphers, "all")) { /* if not all */
f92ce9
+        if (strcasecmp(ciphers, "all")) { /* if not all */
f92ce9
             PRBool enabled = active ? PR_TRUE : PR_FALSE;
f92ce9
             lookup = 1;
f92ce9
-            for(x = 0; _conf_ciphers[x].name; x++) {
f92ce9
-                if(!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
f92ce9
+            for (x = 0; _conf_ciphers[x].name; x++) {
f92ce9
+                if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
f92ce9
+                    if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
f92ce9
+                        if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
f92ce9
+                            slapd_SSL_warn("Cipher %s is weak.  It is enabled since allowWeakCipher is \"on\" "
f92ce9
+                                           "(default setting for the backward compatibility). "
f92ce9
+                                           "We strongly recommend to set it to \"off\".  "
f92ce9
+                                           "Please replace the value of allowWeakCipher with \"off\" in "
f92ce9
+                                           "the encryption config entry cn=encryption,cn=config and "
f92ce9
+                                           "restart the server.", ciphers);
f92ce9
+                        } else {
f92ce9
+                            /* if the cipher is weak and we don't allow weak cipher,
f92ce9
+                               disable it. */
f92ce9
+                            enabled = PR_FALSE;
f92ce9
+                        }
f92ce9
+                    }
f92ce9
                     if (enabled) {
f92ce9
+                        /* if the cipher is not weak or we allow weak cipher,
f92ce9
+                           check fips. */
f92ce9
                         enabled = cipher_check_fips(x, NULL, &unsuplist);
f92ce9
                     }
f92ce9
                     SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
f92ce9
@@ -499,14 +530,33 @@ _conf_setciphers(char *ciphers)
f92ce9
                 for (i = 0; _lookup_cipher[i].alias; i++) {
f92ce9
                     if (!PL_strcasecmp(ciphers, _lookup_cipher[i].alias)) {
f92ce9
                         if (!_lookup_cipher[i].name[0]) {
f92ce9
-                            slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d",
f92ce9
-                                           ciphers, NSS_VMAJOR, NSS_VMINOR);
f92ce9
-                            break;
f92ce9
+                            slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d.  Ignoring %s",
f92ce9
+                                           ciphers, NSS_VMAJOR, NSS_VMINOR, ciphers);
f92ce9
+                            continue;
f92ce9
                         }
f92ce9
                         for (x = 0; _conf_ciphers[x].name; x++) {
f92ce9
                             if (!PL_strcasecmp(_lookup_cipher[i].name, _conf_ciphers[x].name)) {
f92ce9
                                 if (enabled) {
f92ce9
-                                    enabled = cipher_check_fips(x, NULL, &unsuplist);
f92ce9
+                                    if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
f92ce9
+                                        if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
f92ce9
+                                            slapd_SSL_warn("Cipher %s is weak. "
f92ce9
+                                                           "It is enabled since allowWeakCipher is \"on\" "
f92ce9
+                                                           "(default setting for the backward compatibility). "
f92ce9
+                                                           "We strongly recommend to set it to \"off\".  "
f92ce9
+                                                           "Please replace the value of allowWeakCipher with \"off\" in "
f92ce9
+                                                           "the encryption config entry cn=encryption,cn=config and "
f92ce9
+                                                           "restart the server.", ciphers);
f92ce9
+                                        } else {
f92ce9
+                                            /* if the cipher is weak and we don't allow weak cipher,
f92ce9
+                                               disable it. */
f92ce9
+                                            enabled = PR_FALSE;
f92ce9
+                                        }
f92ce9
+                                    }
f92ce9
+                                    if (enabled) {
f92ce9
+                                        /* if the cipher is not weak or we allow weak cipher,
f92ce9
+                                           check fips. */
f92ce9
+                                        enabled = cipher_check_fips(x, NULL, &unsuplist);
f92ce9
+                                    }
f92ce9
                                 }
f92ce9
                                 SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
f92ce9
                                 break;
f92ce9
@@ -1008,6 +1058,7 @@ slapd_ssl_init()
f92ce9
     int rv = 0;
f92ce9
     PK11SlotInfo *slot;
f92ce9
     Slapi_Entry *entry = NULL;
f92ce9
+    int allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
f92ce9
 
f92ce9
     /* Get general information */
f92ce9
 
f92ce9
@@ -1017,21 +1068,21 @@ slapd_ssl_init()
f92ce9
     ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" );
f92ce9
 
f92ce9
     /* We are currently using the value of sslSessionTimeout
f92ce9
-	   for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
f92ce9
+       for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
f92ce9
     /* Note from Tom Weinstein on the meaning of the timeout:
f92ce9
 
f92ce9
        Timeouts are in seconds.  '0' means use the default, which is
f92ce9
-	   24hrs for SSL3 and 100 seconds for SSL2.
f92ce9
+       24hrs for SSL3 and 100 seconds for SSL2.
f92ce9
     */
f92ce9
 
f92ce9
     if(!val) {
f92ce9
       errorCode = PR_GetError();
f92ce9
       slapd_SSL_warn("Security Initialization: Failed to retrieve SSL "
f92ce9
                      "configuration information ("
f92ce9
-					 SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
f92ce9
-		     		 "nssslSessionTimeout: %s ",
f92ce9
-		     		 errorCode, slapd_pr_strerror(errorCode),
f92ce9
-		     (val ? "found" : "not found"));
f92ce9
+                     SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
f92ce9
+                     "nssslSessionTimeout: %s ",
f92ce9
+                     errorCode, slapd_pr_strerror(errorCode),
f92ce9
+             (val ? "found" : "not found"));
f92ce9
       slapi_ch_free((void **) &val;;
f92ce9
       slapi_ch_free((void **) &ciphers);
f92ce9
       freeConfigEntry( &entry );
f92ce9
@@ -1042,79 +1093,86 @@ slapd_ssl_init()
f92ce9
     slapi_ch_free((void **) &val;;
f92ce9
 
f92ce9
     if (svrcore_setup()) {
f92ce9
-	freeConfigEntry( &entry );
f92ce9
-	return -1;
f92ce9
+        freeConfigEntry( &entry );
f92ce9
+        return -1;
f92ce9
     }
f92ce9
 
f92ce9
-    if((family_list = getChildren(configDN))) {
f92ce9
-		char **family;
f92ce9
-		char *token;
f92ce9
-		char *activation;
f92ce9
+    val = slapi_entry_attr_get_charptr(entry, "allowWeakCipher");
f92ce9
+    if (val && (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || 
f92ce9
+                !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no"))) {
f92ce9
+        allowweakcipher = 0;
f92ce9
+    }
f92ce9
+    slapi_ch_free((void **) &val;;
f92ce9
+ 
f92ce9
+    if ((family_list = getChildren(configDN))) {
f92ce9
+        char **family;
f92ce9
+        char *token;
f92ce9
+        char *activation;
f92ce9
 
f92ce9
-	for (family = family_list; *family; family++) {
f92ce9
+        for (family = family_list; *family; family++) {
f92ce9
 
f92ce9
-		token = NULL;
f92ce9
-		activation = NULL;
f92ce9
+            token = NULL;
f92ce9
+            activation = NULL;
f92ce9
 
f92ce9
-		freeConfigEntry( &entry );
f92ce9
+            freeConfigEntry( &entry );
f92ce9
 
f92ce9
- 		getConfigEntry( *family, &entry );
f92ce9
-		if ( entry == NULL ) {
f92ce9
-			continue;
f92ce9
-		}
f92ce9
+            getConfigEntry( *family, &entry );
f92ce9
+            if ( entry == NULL ) {
f92ce9
+                continue;
f92ce9
+            }
f92ce9
 
f92ce9
-		activation = slapi_entry_attr_get_charptr( entry, "nssslactivation" );
f92ce9
-		if((!activation) || (!PL_strcasecmp(activation, "off"))) {
f92ce9
-			/* this family was turned off, goto next */
f92ce9
-			slapi_ch_free((void **) &activation);
f92ce9
-			continue;
f92ce9
-		}
f92ce9
+            activation = slapi_entry_attr_get_charptr( entry, "nssslactivation" );
f92ce9
+            if((!activation) || (!PL_strcasecmp(activation, "off"))) {
f92ce9
+                /* this family was turned off, goto next */
f92ce9
+                slapi_ch_free((void **) &activation);
f92ce9
+                continue;
f92ce9
+            }
f92ce9
 
f92ce9
-		slapi_ch_free((void **) &activation);
f92ce9
-
f92ce9
-		token = slapi_entry_attr_get_charptr( entry, "nsssltoken" );
f92ce9
-                if( token ) {
f92ce9
-                        if( !PL_strcasecmp(token, "internal") ||
f92ce9
-                            !PL_strcasecmp(token, "internal (software)"))
f92ce9
-    				slot = slapd_pk11_getInternalKeySlot();
f92ce9
-     			else
f92ce9
-    				slot = slapd_pk11_findSlotByName(token);
f92ce9
-    		} else {
f92ce9
-		        errorCode = PR_GetError();
f92ce9
-      			slapd_SSL_warn("Security Initialization: Unable to get token ("
f92ce9
-				       SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", 
f92ce9
-				       errorCode, slapd_pr_strerror(errorCode));
f92ce9
-      			freeChildren(family_list);
f92ce9
-      			freeConfigEntry( &entry );
f92ce9
-      			return -1;
f92ce9
-		}
f92ce9
+            slapi_ch_free((void **) &activation);
f92ce9
 
f92ce9
-		slapi_ch_free((void **) &token);
f92ce9
+            token = slapi_entry_attr_get_charptr( entry, "nsssltoken" );
f92ce9
+            if ( token ) {
f92ce9
+                if (!PL_strcasecmp(token, "internal") ||
f92ce9
+                    !PL_strcasecmp(token, "internal (software)")) {
f92ce9
+                    slot = slapd_pk11_getInternalKeySlot();
f92ce9
+                } else {
f92ce9
+                    slot = slapd_pk11_findSlotByName(token);
f92ce9
+                }
f92ce9
+            } else {
f92ce9
+                errorCode = PR_GetError();
f92ce9
+                slapd_SSL_warn("Security Initialization: Unable to get token ("
f92ce9
+                       SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", 
f92ce9
+                       errorCode, slapd_pr_strerror(errorCode));
f92ce9
+                freeChildren(family_list);
f92ce9
+                freeConfigEntry( &entry );
f92ce9
+                return -1;
f92ce9
+            }
f92ce9
 
f92ce9
-		if (!slot) {
f92ce9
-		        errorCode = PR_GetError();
f92ce9
-      			slapd_SSL_warn("Security Initialization: Unable to find slot ("
f92ce9
-				       SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
f92ce9
-				       errorCode, slapd_pr_strerror(errorCode));
f92ce9
-      			freeChildren(family_list);
f92ce9
-      			freeConfigEntry( &entry );
f92ce9
-      			return -1;
f92ce9
-    		}
f92ce9
-    		/* authenticate */
f92ce9
-    		if(slapd_pk11_authenticate(slot, PR_TRUE, NULL) != SECSuccess)
f92ce9
-    		{
f92ce9
-		        errorCode = PR_GetError();
f92ce9
-      			slapd_SSL_warn("Security Initialization: Unable to authenticate ("
f92ce9
-				       SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
f92ce9
-				       errorCode, slapd_pr_strerror(errorCode));
f92ce9
-      			freeChildren(family_list);
f92ce9
-      			freeConfigEntry( &entry );
f92ce9
-      			return -1;
f92ce9
-    		}
f92ce9
-    	}
f92ce9
-	freeChildren( family_list );
f92ce9
+            slapi_ch_free((void **) &token);
f92ce9
+
f92ce9
+            if (!slot) {
f92ce9
+                errorCode = PR_GetError();
f92ce9
+                slapd_SSL_warn("Security Initialization: Unable to find slot ("
f92ce9
+                       SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
f92ce9
+                       errorCode, slapd_pr_strerror(errorCode));
f92ce9
+                freeChildren(family_list);
f92ce9
+                freeConfigEntry( &entry );
f92ce9
+                return -1;
f92ce9
+            }
f92ce9
+            /* authenticate */
f92ce9
+            if (slapd_pk11_authenticate(slot, PR_TRUE, NULL) != SECSuccess) {
f92ce9
+                errorCode = PR_GetError();
f92ce9
+                slapd_SSL_warn("Security Initialization: Unable to authenticate ("
f92ce9
+                       SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
f92ce9
+                       errorCode, slapd_pr_strerror(errorCode));
f92ce9
+                freeChildren(family_list);
f92ce9
+                freeConfigEntry( &entry );
f92ce9
+                return -1;
f92ce9
+            }
f92ce9
+        }
f92ce9
+        freeChildren( family_list );
f92ce9
+        freeConfigEntry( &entry );
f92ce9
     }
f92ce9
-	freeConfigEntry( &entry );
f92ce9
 
f92ce9
     /* ugaston- Cipher preferences must be set before any sslSocket is created
f92ce9
      * for such sockets to take preferences into account.
f92ce9
@@ -1126,13 +1184,13 @@ slapd_ssl_init()
f92ce9
          PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
f92ce9
     slapi_ch_free((void **) &ciphers);
f92ce9
 
f92ce9
-    if( NULL != (val = _conf_setciphers(cipher_string)) ) {
f92ce9
-         errorCode = PR_GetError();
f92ce9
-         slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
f92ce9
-			"preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", 
f92ce9
-			val, errorCode, slapd_pr_strerror(errorCode));
f92ce9
-         rv = 3;
f92ce9
-	slapi_ch_free((void **) &val;;
f92ce9
+    if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
f92ce9
+        errorCode = PR_GetError();
f92ce9
+        slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
f92ce9
+            "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", 
f92ce9
+            val, errorCode, slapd_pr_strerror(errorCode));
f92ce9
+        rv = 3;
f92ce9
+        slapi_ch_free((void **) &val;;
f92ce9
     }
f92ce9
 
f92ce9
     freeConfigEntry( &entry );
f92ce9
-- 
f92ce9
1.9.3
f92ce9