Blame SOURCES/0006-Ticket-47895-If-no-effective-ciphers-are-available-d.patch

f92ce9
From dd2dc9218ec91589f03c89f4f38fe2927bf5e3ab Mon Sep 17 00:00:00 2001
f92ce9
From: Noriko Hosoi <nhosoi@redhat.com>
f92ce9
Date: Wed, 10 Sep 2014 18:56:43 -0700
f92ce9
Subject: [PATCH 6/7] Ticket #47895 - If no effective ciphers are available,
f92ce9
 disable security setting.
f92ce9
f92ce9
Description: If nsslapd-security is "on" and nsSSL3Ciphers is given
f92ce9
AND none of the ciphers are available or some syntax error is detected,
f92ce9
the server sets nsslapd-security "off" and starts up.
f92ce9
f92ce9
https://fedorahosted.org/389/ticket/47895
f92ce9
f92ce9
Reviewed by nkinder@redhat.com (Thank you, Nathan!!)
f92ce9
f92ce9
(cherry picked from commit 0f1a203a0fe85f3cf0440006685f63409502f093)
f92ce9
(cherry picked from commit cad5b96507caf9e08a12285c52d0353f8e6dcc3b)
f92ce9
---
f92ce9
 ldap/servers/slapd/main.c | 42 ++++++++++++++++++++++++++++++------------
f92ce9
 1 file changed, 30 insertions(+), 12 deletions(-)
f92ce9
f92ce9
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
f92ce9
index d577514..6bad2a0 100644
f92ce9
--- a/ldap/servers/slapd/main.c
f92ce9
+++ b/ldap/servers/slapd/main.c
f92ce9
@@ -3077,6 +3077,24 @@ slapd_debug_level_usage( void )
f92ce9
 }
f92ce9
 #endif /* LDAP_DEBUG */
f92ce9
 
f92ce9
+static int
f92ce9
+force_to_disable_security(const char *what, int *init_ssl, daemon_ports_t *ports_info)
f92ce9
+{
f92ce9
+	char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
f92ce9
+	errorbuf[0] = '\0';
f92ce9
+
f92ce9
+    LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: %s Initialization Failed.  Disabling %s.\n", what, what);
f92ce9
+    ports_info->s_socket = SLAPD_INVALID_SOCKET;
f92ce9
+    ports_info->s_port = 0;
f92ce9
+    *init_ssl = 0;
f92ce9
+    if (config_set_security(CONFIG_SECURITY_ATTRIBUTE, "off", errorbuf, 1)) {
f92ce9
+        LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: Failed to disable %s: \"%s\".\n", 
f92ce9
+                       CONFIG_SECURITY_ATTRIBUTE, errorbuf[0]?errorbuf:"no error message");
f92ce9
+        return 1;
f92ce9
+    }
f92ce9
+	return 0;
f92ce9
+}
f92ce9
+
f92ce9
 /*
f92ce9
   This function does all NSS and SSL related initialization
f92ce9
   required during startup.  We use this function rather
f92ce9
@@ -3113,20 +3131,20 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt,
f92ce9
 	 * modules can assume NSS is available
f92ce9
 	 */
f92ce9
 	if ( slapd_nss_init((slapd_exemode == SLAPD_EXEMODE_SLAPD),
f92ce9
-                        (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {
f92ce9
-        LDAPDebug(LDAP_DEBUG_ANY,
f92ce9
-                  "ERROR: NSS Initialization Failed.\n", 0, 0, 0);
f92ce9
-        return 1;
f92ce9
+	                    (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {
f92ce9
+	    if (force_to_disable_security("NSS", &init_ssl, ports_info)) {
f92ce9
+	        return 1;
f92ce9
+	    }
f92ce9
 	}
f92ce9
 
f92ce9
 	if (slapd_exemode == SLAPD_EXEMODE_SLAPD) {
f92ce9
         client_auth_init();
f92ce9
 	}
f92ce9
 
f92ce9
-	if ( init_ssl && ( 0 != slapd_ssl_init())) {
f92ce9
-		LDAPDebug(LDAP_DEBUG_ANY,
f92ce9
-                  "ERROR: SSL Initialization Failed.\n", 0, 0, 0 );
f92ce9
-		return 1;
f92ce9
+	if (init_ssl && slapd_ssl_init()) {
f92ce9
+	    if (force_to_disable_security("SSL", &init_ssl, ports_info)) {
f92ce9
+	        return 1;
f92ce9
+	    }
f92ce9
 	}
f92ce9
 
f92ce9
 	if ((slapd_exemode == SLAPD_EXEMODE_SLAPD) ||
f92ce9
@@ -3134,10 +3152,10 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt,
f92ce9
 		if ( init_ssl ) {
f92ce9
 			PRFileDesc **sock;
f92ce9
 			for (sock = ports_info->s_socket; sock && *sock; sock++) {
f92ce9
-				if ( 0 != slapd_ssl_init2(sock, 0) ) {
f92ce9
-					LDAPDebug(LDAP_DEBUG_ANY,
f92ce9
-                              "ERROR: SSL Initialization phase 2 Failed.\n", 0, 0, 0 );
f92ce9
-					return 1;
f92ce9
+				if ( slapd_ssl_init2(sock, 0) ) {
f92ce9
+				    if (force_to_disable_security("SSL2", &init_ssl, ports_info)) {
f92ce9
+				        return 1;
f92ce9
+				    }
f92ce9
 				}
f92ce9
 			}
f92ce9
 		}
f92ce9
-- 
f92ce9
1.9.3
f92ce9