|
 |
f92ce9 |
From 2c550346512bc3dec27c9329f4902663759e4b65 Mon Sep 17 00:00:00 2001
|
|
|
f92ce9 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
f92ce9 |
Date: Thu, 11 Sep 2014 11:46:51 -0700
|
|
|
f92ce9 |
Subject: [PATCH 4/7] Ticket #47838 - harden the list of ciphers available by
|
|
|
f92ce9 |
default
|
|
|
f92ce9 |
|
|
|
f92ce9 |
Description:
|
|
|
f92ce9 |
1. Introducing a new attribute allowWeakCipher in "cn=encryption,cn=config".
|
|
|
f92ce9 |
allowWeakCipher: [on | off]
|
|
|
f92ce9 |
on -- allows weak ciphers.
|
|
|
f92ce9 |
Default setting for user specified ciphers.
|
|
|
f92ce9 |
off -- rejects weak ciphers.
|
|
|
f92ce9 |
Default setting for +all and default.
|
|
|
f92ce9 |
|
|
|
f92ce9 |
2. allowWeakCipher is applied only to the user specified cipher suites
|
|
|
f92ce9 |
such as "nsSSL3Ciphers: +rsa_rc4_128_md5".
|
|
|
f92ce9 |
If allowWeakCipher is enabled and the user specified cipher is weak,
|
|
|
f92ce9 |
SSL alert is logged in the error log:
|
|
|
f92ce9 |
SSL alert: Cipher rsa_rc4_128_md5 is weak. It is enabled since
|
|
|
f92ce9 |
allowWeakCipher is "on" (default setting for the backward compatibility).
|
|
|
f92ce9 |
We strongly recommend to set it to "off". Please replace the value of
|
|
|
f92ce9 |
allowWeakCipher with "off" in the encryption config entry cn=encryption,
|
|
|
f92ce9 |
cn=config and restart the server.
|
|
|
f92ce9 |
|
|
|
f92ce9 |
3. If specified cipher suite is not supported, ignore the cipher suite
|
|
|
f92ce9 |
and continue setting ciphers.
|
|
|
f92ce9 |
|
|
|
f92ce9 |
https://fedorahosted.org/389/ticket/47838
|
|
|
f92ce9 |
|
|
|
f92ce9 |
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
|
|
|
f92ce9 |
|
|
|
f92ce9 |
(cherry picked from commit 5f3c87e1380e56d76d4a4bef3af07633a8589891)
|
|
|
f92ce9 |
(cherry picked from commit 58cb12a7b8cf938c5a4b920c4a1ad1da02fecdb8)
|
|
|
f92ce9 |
---
|
|
|
f92ce9 |
ldap/schema/01core389.ldif | 3 +-
|
|
|
f92ce9 |
ldap/servers/slapd/ssl.c | 262 +++++++++++++++++++++++++++------------------
|
|
|
f92ce9 |
2 files changed, 162 insertions(+), 103 deletions(-)
|
|
|
f92ce9 |
|
|
|
f92ce9 |
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
|
|
|
f92ce9 |
index 1b8a70b..c7aec70 100644
|
|
|
f92ce9 |
--- a/ldap/schema/01core389.ldif
|
|
|
f92ce9 |
+++ b/ldap/schema/01core389.ldif
|
|
|
f92ce9 |
@@ -128,6 +128,7 @@ attributeTypes: ( nsSSL3SessionTimeout-oid NAME 'nsSSL3SessionTimeout' DESC 'Net
|
|
|
f92ce9 |
attributeTypes: ( nsSSL2Ciphers-oid NAME 'nsSSL2Ciphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
|
|
|
f92ce9 |
attributeTypes: ( nsSSL3Ciphers-oid NAME 'nsSSL3Ciphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
|
|
|
f92ce9 |
attributeTypes: ( nsSSLSupportedCiphers-oid NAME 'nsSSLSupportedCiphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
|
|
|
f92ce9 |
+attributeTypes: ( allowWeakCipher-oid NAME 'allowWeakCipher' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
|
|
|
f92ce9 |
attributeTypes: ( nsSSLToken-oid NAME 'nsSSLToken' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
|
|
|
f92ce9 |
attributeTypes: ( nsSSLPersonalitySSL-oid NAME 'nsSSLPersonalitySSL' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
|
|
|
f92ce9 |
attributeTypes: ( nsSSLActivation-oid NAME 'nsSSLActivation' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
|
|
|
f92ce9 |
@@ -316,7 +317,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC
|
|
|
f92ce9 |
objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
|
|
|
f92ce9 |
objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' )
|
|
|
f92ce9 |
objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
|
|
|
f92ce9 |
-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers) X-ORIGIN 'Netscape' )
|
|
|
f92ce9 |
+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher) X-ORIGIN 'Netscape' )
|
|
|
f92ce9 |
objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' )
|
|
|
f92ce9 |
objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( rootdn-open-time $ rootdn-close-time $ rootdn-days-allowed $ rootdn-allow-host $ rootdn-deny-host $ rootdn-allow-ip $ rootdn-deny-ip ) X-ORIGIN 'Netscape' )
|
|
|
f92ce9 |
objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' )
|
|
|
f92ce9 |
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
|
|
|
f92ce9 |
index 1a21df0..03b5904 100644
|
|
|
f92ce9 |
--- a/ldap/servers/slapd/ssl.c
|
|
|
f92ce9 |
+++ b/ldap/servers/slapd/ssl.c
|
|
|
f92ce9 |
@@ -119,7 +119,21 @@ static char * configDN = "cn=encryption,cn=config";
|
|
|
f92ce9 |
#define FILE_PATHSEP '/'
|
|
|
f92ce9 |
|
|
|
f92ce9 |
/* ----------------------- Multiple cipher support ------------------------ */
|
|
|
f92ce9 |
-
|
|
|
f92ce9 |
+/* cipher set flags */
|
|
|
f92ce9 |
+#define CIPHER_SET_ALL 0x1
|
|
|
f92ce9 |
+#define CIPHER_SET_NONE 0x0
|
|
|
f92ce9 |
+#define CIPHER_SET_DEFAULT 0x2
|
|
|
f92ce9 |
+#define CIPHER_SET_CORE (CIPHER_SET_ALL|CIPHER_SET_DEFAULT|CIPHER_SET_NONE)
|
|
|
f92ce9 |
+#define CIPHER_SET_ALLOWWEAKCIPHER 0x10 /* can be or'ed with other CIPHER_SET flags */
|
|
|
f92ce9 |
+
|
|
|
f92ce9 |
+#define CIPHER_SET_ISDEFAULT(flag) \
|
|
|
f92ce9 |
+ ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
|
|
|
f92ce9 |
+#define CIPHER_SET_ISALL(flag) \
|
|
|
f92ce9 |
+ ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE)
|
|
|
f92ce9 |
+#define CIPHER_SET_ALLOWSWEAKCIPHER(flag) \
|
|
|
f92ce9 |
+ (((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
|
|
|
f92ce9 |
+#define CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flag) \
|
|
|
f92ce9 |
+ ((flag)&~CIPHER_SET_ALLOWWEAKCIPHER)
|
|
|
f92ce9 |
|
|
|
f92ce9 |
/* flags */
|
|
|
f92ce9 |
#define CIPHER_IS_DEFAULT 0x1
|
|
|
f92ce9 |
@@ -158,7 +172,7 @@ static lookup_cipher _lookup_cipher[] = {
|
|
|
f92ce9 |
{"tls_rsa_3des_sha", "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
|
|
|
f92ce9 |
{"rsa_fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
|
|
|
f92ce9 |
{"fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
|
|
|
f92ce9 |
- {"rsa_des_sha", "TLS_RSA_WITH_DES_CBC_SHA"},
|
|
|
f92ce9 |
+ {"rsa_des_sha", "SSL_RSA_WITH_DES_CBC_SHA"},
|
|
|
f92ce9 |
{"rsa_fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
|
|
|
f92ce9 |
{"fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, /* ditto */
|
|
|
f92ce9 |
{"rsa_rc4_40_md5", "TLS_RSA_EXPORT_WITH_RC4_40_MD5"},
|
|
|
f92ce9 |
@@ -339,21 +353,20 @@ _conf_init_ciphers()
|
|
|
f92ce9 |
return;
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
|
|
|
f92ce9 |
-#define CIPHER_SET_ALL 1
|
|
|
f92ce9 |
-#define CIPHER_SET_NONE 0
|
|
|
f92ce9 |
-#define CIPHER_SET_DEFAULT 2
|
|
|
f92ce9 |
/*
|
|
|
f92ce9 |
- * flag: 1 -- enable all
|
|
|
f92ce9 |
- * 0 -- disable all
|
|
|
f92ce9 |
- * 2 -- set default ciphers
|
|
|
f92ce9 |
+ * flag: CIPHER_SET_ALL -- enable all
|
|
|
f92ce9 |
+ * CIPHER_SET_NONE -- disable all
|
|
|
f92ce9 |
+ * CIPHER_SET_DEFAULT -- set default ciphers
|
|
|
f92ce9 |
+ * CIPHER_SET_ALLOW_WEAKCIPHER -- allow weak ciphers (can be or'ed with the ather CIPHER_SET flags)
|
|
|
f92ce9 |
*/
|
|
|
f92ce9 |
static void
|
|
|
f92ce9 |
_conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
|
|
|
f92ce9 |
{
|
|
|
f92ce9 |
int x;
|
|
|
f92ce9 |
SECStatus rc;
|
|
|
f92ce9 |
- PRBool setdefault = (flag == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE;
|
|
|
f92ce9 |
- PRBool enabled = (flag == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE;
|
|
|
f92ce9 |
+ PRBool setdefault = CIPHER_SET_ISDEFAULT(flag);
|
|
|
f92ce9 |
+ PRBool enabled = CIPHER_SET_ISALL(flag);
|
|
|
f92ce9 |
+ PRBool allowweakcipher = CIPHER_SET_ALLOWSWEAKCIPHER(flag);
|
|
|
f92ce9 |
PRBool setme = PR_FALSE;
|
|
|
f92ce9 |
const PRUint16 *implementedCiphers = SSL_GetImplementedCiphers();
|
|
|
f92ce9 |
|
|
|
f92ce9 |
@@ -361,8 +374,9 @@ _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
|
|
|
f92ce9 |
|
|
|
f92ce9 |
for (x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {
|
|
|
f92ce9 |
if (_conf_ciphers[x].flags & CIPHER_IS_DEFAULT) {
|
|
|
f92ce9 |
+ /* certainly, not the first time. */
|
|
|
f92ce9 |
setme = PR_TRUE;
|
|
|
f92ce9 |
- } else {
|
|
|
f92ce9 |
+ } else if (setdefault) {
|
|
|
f92ce9 |
/*
|
|
|
f92ce9 |
* SSL_CipherPrefGetDefault
|
|
|
f92ce9 |
* If the application has not previously set the default preference,
|
|
|
f92ce9 |
@@ -375,15 +389,16 @@ _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
|
|
|
f92ce9 |
_conf_ciphers[x].name);
|
|
|
f92ce9 |
continue;
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
- if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
|
|
|
f92ce9 |
+ if (!allowweakcipher && (_conf_ciphers[x].flags & CIPHER_IS_WEAK)) {
|
|
|
f92ce9 |
setme = PR_FALSE;
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
_conf_ciphers[x].flags |= setme?CIPHER_IS_DEFAULT:0;
|
|
|
f92ce9 |
- }
|
|
|
f92ce9 |
- if (setdefault) {
|
|
|
f92ce9 |
- /* Use the NSS default settings */
|
|
|
f92ce9 |
} else if (enabled && !(_conf_ciphers[x].flags & CIPHER_MUST_BE_DISABLED)) {
|
|
|
f92ce9 |
- setme = PR_TRUE;
|
|
|
f92ce9 |
+ if (!allowweakcipher && (_conf_ciphers[x].flags & CIPHER_IS_WEAK)) {
|
|
|
f92ce9 |
+ setme = PR_FALSE;
|
|
|
f92ce9 |
+ } else {
|
|
|
f92ce9 |
+ setme = PR_TRUE;
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
} else {
|
|
|
f92ce9 |
setme = PR_FALSE;
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
@@ -433,7 +448,7 @@ _conf_dumpciphers()
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
|
|
|
f92ce9 |
char *
|
|
|
f92ce9 |
-_conf_setciphers(char *ciphers)
|
|
|
f92ce9 |
+_conf_setciphers(char *ciphers, int flags)
|
|
|
f92ce9 |
{
|
|
|
f92ce9 |
char *t, err[MAGNUS_ERROR_LEN];
|
|
|
f92ce9 |
int x, i, active;
|
|
|
f92ce9 |
@@ -445,7 +460,7 @@ _conf_setciphers(char *ciphers)
|
|
|
f92ce9 |
/* #47838: harden the list of ciphers available by default */
|
|
|
f92ce9 |
/* Default is to activate all of them ==> none of them*/
|
|
|
f92ce9 |
if (!ciphers || (ciphers[0] == '\0') || !PL_strcasecmp(ciphers, "default")) {
|
|
|
f92ce9 |
- _conf_setallciphers(CIPHER_SET_DEFAULT, NULL, NULL);
|
|
|
f92ce9 |
+ _conf_setallciphers((CIPHER_SET_DEFAULT|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags)), NULL, NULL);
|
|
|
f92ce9 |
slapd_SSL_warn("Security Initialization: Enabling default cipher set.");
|
|
|
f92ce9 |
_conf_dumpciphers();
|
|
|
f92ce9 |
return NULL;
|
|
|
f92ce9 |
@@ -458,11 +473,11 @@ _conf_setciphers(char *ciphers)
|
|
|
f92ce9 |
* set of ciphers in the table. Right now there is no support for this
|
|
|
f92ce9 |
* from the console
|
|
|
f92ce9 |
*/
|
|
|
f92ce9 |
- _conf_setallciphers(CIPHER_SET_ALL, &suplist, NULL);
|
|
|
f92ce9 |
+ _conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags), &suplist, NULL);
|
|
|
f92ce9 |
} else {
|
|
|
f92ce9 |
/* If "+all" is not in nsSSL3Ciphers value, disable all first,
|
|
|
f92ce9 |
* then enable specified ciphers. */
|
|
|
f92ce9 |
- _conf_setallciphers(0 /* disabled */, NULL, NULL);
|
|
|
f92ce9 |
+ _conf_setallciphers(CIPHER_SET_NONE /* disabled */, NULL, NULL);
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
|
|
|
f92ce9 |
t = ciphers;
|
|
|
f92ce9 |
@@ -482,12 +497,28 @@ _conf_setciphers(char *ciphers)
|
|
|
f92ce9 |
if( (t = strchr(ciphers, ',')) )
|
|
|
f92ce9 |
*t++ = '\0';
|
|
|
f92ce9 |
|
|
|
f92ce9 |
- if(strcasecmp(ciphers, "all")) { /* if not all */
|
|
|
f92ce9 |
+ if (strcasecmp(ciphers, "all")) { /* if not all */
|
|
|
f92ce9 |
PRBool enabled = active ? PR_TRUE : PR_FALSE;
|
|
|
f92ce9 |
lookup = 1;
|
|
|
f92ce9 |
- for(x = 0; _conf_ciphers[x].name; x++) {
|
|
|
f92ce9 |
- if(!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
|
|
|
f92ce9 |
+ for (x = 0; _conf_ciphers[x].name; x++) {
|
|
|
f92ce9 |
+ if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
|
|
|
f92ce9 |
+ if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
|
|
|
f92ce9 |
+ if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
|
|
|
f92ce9 |
+ slapd_SSL_warn("Cipher %s is weak. It is enabled since allowWeakCipher is \"on\" "
|
|
|
f92ce9 |
+ "(default setting for the backward compatibility). "
|
|
|
f92ce9 |
+ "We strongly recommend to set it to \"off\". "
|
|
|
f92ce9 |
+ "Please replace the value of allowWeakCipher with \"off\" in "
|
|
|
f92ce9 |
+ "the encryption config entry cn=encryption,cn=config and "
|
|
|
f92ce9 |
+ "restart the server.", ciphers);
|
|
|
f92ce9 |
+ } else {
|
|
|
f92ce9 |
+ /* if the cipher is weak and we don't allow weak cipher,
|
|
|
f92ce9 |
+ disable it. */
|
|
|
f92ce9 |
+ enabled = PR_FALSE;
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
if (enabled) {
|
|
|
f92ce9 |
+ /* if the cipher is not weak or we allow weak cipher,
|
|
|
f92ce9 |
+ check fips. */
|
|
|
f92ce9 |
enabled = cipher_check_fips(x, NULL, &unsuplist);
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
|
|
|
f92ce9 |
@@ -499,14 +530,33 @@ _conf_setciphers(char *ciphers)
|
|
|
f92ce9 |
for (i = 0; _lookup_cipher[i].alias; i++) {
|
|
|
f92ce9 |
if (!PL_strcasecmp(ciphers, _lookup_cipher[i].alias)) {
|
|
|
f92ce9 |
if (!_lookup_cipher[i].name[0]) {
|
|
|
f92ce9 |
- slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d",
|
|
|
f92ce9 |
- ciphers, NSS_VMAJOR, NSS_VMINOR);
|
|
|
f92ce9 |
- break;
|
|
|
f92ce9 |
+ slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d. Ignoring %s",
|
|
|
f92ce9 |
+ ciphers, NSS_VMAJOR, NSS_VMINOR, ciphers);
|
|
|
f92ce9 |
+ continue;
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
for (x = 0; _conf_ciphers[x].name; x++) {
|
|
|
f92ce9 |
if (!PL_strcasecmp(_lookup_cipher[i].name, _conf_ciphers[x].name)) {
|
|
|
f92ce9 |
if (enabled) {
|
|
|
f92ce9 |
- enabled = cipher_check_fips(x, NULL, &unsuplist);
|
|
|
f92ce9 |
+ if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
|
|
|
f92ce9 |
+ if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
|
|
|
f92ce9 |
+ slapd_SSL_warn("Cipher %s is weak. "
|
|
|
f92ce9 |
+ "It is enabled since allowWeakCipher is \"on\" "
|
|
|
f92ce9 |
+ "(default setting for the backward compatibility). "
|
|
|
f92ce9 |
+ "We strongly recommend to set it to \"off\". "
|
|
|
f92ce9 |
+ "Please replace the value of allowWeakCipher with \"off\" in "
|
|
|
f92ce9 |
+ "the encryption config entry cn=encryption,cn=config and "
|
|
|
f92ce9 |
+ "restart the server.", ciphers);
|
|
|
f92ce9 |
+ } else {
|
|
|
f92ce9 |
+ /* if the cipher is weak and we don't allow weak cipher,
|
|
|
f92ce9 |
+ disable it. */
|
|
|
f92ce9 |
+ enabled = PR_FALSE;
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
+ if (enabled) {
|
|
|
f92ce9 |
+ /* if the cipher is not weak or we allow weak cipher,
|
|
|
f92ce9 |
+ check fips. */
|
|
|
f92ce9 |
+ enabled = cipher_check_fips(x, NULL, &unsuplist);
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
|
|
|
f92ce9 |
break;
|
|
|
f92ce9 |
@@ -1008,6 +1058,7 @@ slapd_ssl_init()
|
|
|
f92ce9 |
int rv = 0;
|
|
|
f92ce9 |
PK11SlotInfo *slot;
|
|
|
f92ce9 |
Slapi_Entry *entry = NULL;
|
|
|
f92ce9 |
+ int allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
|
|
|
f92ce9 |
|
|
|
f92ce9 |
/* Get general information */
|
|
|
f92ce9 |
|
|
|
f92ce9 |
@@ -1017,21 +1068,21 @@ slapd_ssl_init()
|
|
|
f92ce9 |
ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" );
|
|
|
f92ce9 |
|
|
|
f92ce9 |
/* We are currently using the value of sslSessionTimeout
|
|
|
f92ce9 |
- for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
|
|
|
f92ce9 |
+ for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
|
|
|
f92ce9 |
/* Note from Tom Weinstein on the meaning of the timeout:
|
|
|
f92ce9 |
|
|
|
f92ce9 |
Timeouts are in seconds. '0' means use the default, which is
|
|
|
f92ce9 |
- 24hrs for SSL3 and 100 seconds for SSL2.
|
|
|
f92ce9 |
+ 24hrs for SSL3 and 100 seconds for SSL2.
|
|
|
f92ce9 |
*/
|
|
|
f92ce9 |
|
|
|
f92ce9 |
if(!val) {
|
|
|
f92ce9 |
errorCode = PR_GetError();
|
|
|
f92ce9 |
slapd_SSL_warn("Security Initialization: Failed to retrieve SSL "
|
|
|
f92ce9 |
"configuration information ("
|
|
|
f92ce9 |
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
|
|
|
f92ce9 |
- "nssslSessionTimeout: %s ",
|
|
|
f92ce9 |
- errorCode, slapd_pr_strerror(errorCode),
|
|
|
f92ce9 |
- (val ? "found" : "not found"));
|
|
|
f92ce9 |
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
|
|
|
f92ce9 |
+ "nssslSessionTimeout: %s ",
|
|
|
f92ce9 |
+ errorCode, slapd_pr_strerror(errorCode),
|
|
|
f92ce9 |
+ (val ? "found" : "not found"));
|
|
|
f92ce9 |
slapi_ch_free((void **) &val;;
|
|
|
f92ce9 |
slapi_ch_free((void **) &ciphers);
|
|
|
f92ce9 |
freeConfigEntry( &entry );
|
|
|
f92ce9 |
@@ -1042,79 +1093,86 @@ slapd_ssl_init()
|
|
|
f92ce9 |
slapi_ch_free((void **) &val;;
|
|
|
f92ce9 |
|
|
|
f92ce9 |
if (svrcore_setup()) {
|
|
|
f92ce9 |
- freeConfigEntry( &entry );
|
|
|
f92ce9 |
- return -1;
|
|
|
f92ce9 |
+ freeConfigEntry( &entry );
|
|
|
f92ce9 |
+ return -1;
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
|
|
|
f92ce9 |
- if((family_list = getChildren(configDN))) {
|
|
|
f92ce9 |
- char **family;
|
|
|
f92ce9 |
- char *token;
|
|
|
f92ce9 |
- char *activation;
|
|
|
f92ce9 |
+ val = slapi_entry_attr_get_charptr(entry, "allowWeakCipher");
|
|
|
f92ce9 |
+ if (val && (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
|
|
|
f92ce9 |
+ !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no"))) {
|
|
|
f92ce9 |
+ allowweakcipher = 0;
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
+ slapi_ch_free((void **) &val;;
|
|
|
f92ce9 |
+
|
|
|
f92ce9 |
+ if ((family_list = getChildren(configDN))) {
|
|
|
f92ce9 |
+ char **family;
|
|
|
f92ce9 |
+ char *token;
|
|
|
f92ce9 |
+ char *activation;
|
|
|
f92ce9 |
|
|
|
f92ce9 |
- for (family = family_list; *family; family++) {
|
|
|
f92ce9 |
+ for (family = family_list; *family; family++) {
|
|
|
f92ce9 |
|
|
|
f92ce9 |
- token = NULL;
|
|
|
f92ce9 |
- activation = NULL;
|
|
|
f92ce9 |
+ token = NULL;
|
|
|
f92ce9 |
+ activation = NULL;
|
|
|
f92ce9 |
|
|
|
f92ce9 |
- freeConfigEntry( &entry );
|
|
|
f92ce9 |
+ freeConfigEntry( &entry );
|
|
|
f92ce9 |
|
|
|
f92ce9 |
- getConfigEntry( *family, &entry );
|
|
|
f92ce9 |
- if ( entry == NULL ) {
|
|
|
f92ce9 |
- continue;
|
|
|
f92ce9 |
- }
|
|
|
f92ce9 |
+ getConfigEntry( *family, &entry );
|
|
|
f92ce9 |
+ if ( entry == NULL ) {
|
|
|
f92ce9 |
+ continue;
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
|
|
|
f92ce9 |
- activation = slapi_entry_attr_get_charptr( entry, "nssslactivation" );
|
|
|
f92ce9 |
- if((!activation) || (!PL_strcasecmp(activation, "off"))) {
|
|
|
f92ce9 |
- /* this family was turned off, goto next */
|
|
|
f92ce9 |
- slapi_ch_free((void **) &activation);
|
|
|
f92ce9 |
- continue;
|
|
|
f92ce9 |
- }
|
|
|
f92ce9 |
+ activation = slapi_entry_attr_get_charptr( entry, "nssslactivation" );
|
|
|
f92ce9 |
+ if((!activation) || (!PL_strcasecmp(activation, "off"))) {
|
|
|
f92ce9 |
+ /* this family was turned off, goto next */
|
|
|
f92ce9 |
+ slapi_ch_free((void **) &activation);
|
|
|
f92ce9 |
+ continue;
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
|
|
|
f92ce9 |
- slapi_ch_free((void **) &activation);
|
|
|
f92ce9 |
-
|
|
|
f92ce9 |
- token = slapi_entry_attr_get_charptr( entry, "nsssltoken" );
|
|
|
f92ce9 |
- if( token ) {
|
|
|
f92ce9 |
- if( !PL_strcasecmp(token, "internal") ||
|
|
|
f92ce9 |
- !PL_strcasecmp(token, "internal (software)"))
|
|
|
f92ce9 |
- slot = slapd_pk11_getInternalKeySlot();
|
|
|
f92ce9 |
- else
|
|
|
f92ce9 |
- slot = slapd_pk11_findSlotByName(token);
|
|
|
f92ce9 |
- } else {
|
|
|
f92ce9 |
- errorCode = PR_GetError();
|
|
|
f92ce9 |
- slapd_SSL_warn("Security Initialization: Unable to get token ("
|
|
|
f92ce9 |
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
|
|
f92ce9 |
- errorCode, slapd_pr_strerror(errorCode));
|
|
|
f92ce9 |
- freeChildren(family_list);
|
|
|
f92ce9 |
- freeConfigEntry( &entry );
|
|
|
f92ce9 |
- return -1;
|
|
|
f92ce9 |
- }
|
|
|
f92ce9 |
+ slapi_ch_free((void **) &activation);
|
|
|
f92ce9 |
|
|
|
f92ce9 |
- slapi_ch_free((void **) &token);
|
|
|
f92ce9 |
+ token = slapi_entry_attr_get_charptr( entry, "nsssltoken" );
|
|
|
f92ce9 |
+ if ( token ) {
|
|
|
f92ce9 |
+ if (!PL_strcasecmp(token, "internal") ||
|
|
|
f92ce9 |
+ !PL_strcasecmp(token, "internal (software)")) {
|
|
|
f92ce9 |
+ slot = slapd_pk11_getInternalKeySlot();
|
|
|
f92ce9 |
+ } else {
|
|
|
f92ce9 |
+ slot = slapd_pk11_findSlotByName(token);
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
+ } else {
|
|
|
f92ce9 |
+ errorCode = PR_GetError();
|
|
|
f92ce9 |
+ slapd_SSL_warn("Security Initialization: Unable to get token ("
|
|
|
f92ce9 |
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
|
|
f92ce9 |
+ errorCode, slapd_pr_strerror(errorCode));
|
|
|
f92ce9 |
+ freeChildren(family_list);
|
|
|
f92ce9 |
+ freeConfigEntry( &entry );
|
|
|
f92ce9 |
+ return -1;
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
|
|
|
f92ce9 |
- if (!slot) {
|
|
|
f92ce9 |
- errorCode = PR_GetError();
|
|
|
f92ce9 |
- slapd_SSL_warn("Security Initialization: Unable to find slot ("
|
|
|
f92ce9 |
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
|
|
f92ce9 |
- errorCode, slapd_pr_strerror(errorCode));
|
|
|
f92ce9 |
- freeChildren(family_list);
|
|
|
f92ce9 |
- freeConfigEntry( &entry );
|
|
|
f92ce9 |
- return -1;
|
|
|
f92ce9 |
- }
|
|
|
f92ce9 |
- /* authenticate */
|
|
|
f92ce9 |
- if(slapd_pk11_authenticate(slot, PR_TRUE, NULL) != SECSuccess)
|
|
|
f92ce9 |
- {
|
|
|
f92ce9 |
- errorCode = PR_GetError();
|
|
|
f92ce9 |
- slapd_SSL_warn("Security Initialization: Unable to authenticate ("
|
|
|
f92ce9 |
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
|
|
f92ce9 |
- errorCode, slapd_pr_strerror(errorCode));
|
|
|
f92ce9 |
- freeChildren(family_list);
|
|
|
f92ce9 |
- freeConfigEntry( &entry );
|
|
|
f92ce9 |
- return -1;
|
|
|
f92ce9 |
- }
|
|
|
f92ce9 |
- }
|
|
|
f92ce9 |
- freeChildren( family_list );
|
|
|
f92ce9 |
+ slapi_ch_free((void **) &token);
|
|
|
f92ce9 |
+
|
|
|
f92ce9 |
+ if (!slot) {
|
|
|
f92ce9 |
+ errorCode = PR_GetError();
|
|
|
f92ce9 |
+ slapd_SSL_warn("Security Initialization: Unable to find slot ("
|
|
|
f92ce9 |
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
|
|
f92ce9 |
+ errorCode, slapd_pr_strerror(errorCode));
|
|
|
f92ce9 |
+ freeChildren(family_list);
|
|
|
f92ce9 |
+ freeConfigEntry( &entry );
|
|
|
f92ce9 |
+ return -1;
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
+ /* authenticate */
|
|
|
f92ce9 |
+ if (slapd_pk11_authenticate(slot, PR_TRUE, NULL) != SECSuccess) {
|
|
|
f92ce9 |
+ errorCode = PR_GetError();
|
|
|
f92ce9 |
+ slapd_SSL_warn("Security Initialization: Unable to authenticate ("
|
|
|
f92ce9 |
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
|
|
f92ce9 |
+ errorCode, slapd_pr_strerror(errorCode));
|
|
|
f92ce9 |
+ freeChildren(family_list);
|
|
|
f92ce9 |
+ freeConfigEntry( &entry );
|
|
|
f92ce9 |
+ return -1;
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
+ freeChildren( family_list );
|
|
|
f92ce9 |
+ freeConfigEntry( &entry );
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
- freeConfigEntry( &entry );
|
|
|
f92ce9 |
|
|
|
f92ce9 |
/* ugaston- Cipher preferences must be set before any sslSocket is created
|
|
|
f92ce9 |
* for such sockets to take preferences into account.
|
|
|
f92ce9 |
@@ -1126,13 +1184,13 @@ slapd_ssl_init()
|
|
|
f92ce9 |
PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
|
|
|
f92ce9 |
slapi_ch_free((void **) &ciphers);
|
|
|
f92ce9 |
|
|
|
f92ce9 |
- if( NULL != (val = _conf_setciphers(cipher_string)) ) {
|
|
|
f92ce9 |
- errorCode = PR_GetError();
|
|
|
f92ce9 |
- slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
|
|
|
f92ce9 |
- "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
|
|
f92ce9 |
- val, errorCode, slapd_pr_strerror(errorCode));
|
|
|
f92ce9 |
- rv = 3;
|
|
|
f92ce9 |
- slapi_ch_free((void **) &val;;
|
|
|
f92ce9 |
+ if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
|
|
|
f92ce9 |
+ errorCode = PR_GetError();
|
|
|
f92ce9 |
+ slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
|
|
|
f92ce9 |
+ "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
|
|
f92ce9 |
+ val, errorCode, slapd_pr_strerror(errorCode));
|
|
|
f92ce9 |
+ rv = 3;
|
|
|
f92ce9 |
+ slapi_ch_free((void **) &val;;
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
|
|
|
f92ce9 |
freeConfigEntry( &entry );
|
|
|
f92ce9 |
--
|
|
|
f92ce9 |
1.9.3
|
|
|
f92ce9 |
|