Tree - rpms/389-ds-base - CentOS Git server

rpms / 389-ds-base

Blame SOURCES/0027-Ticket-47945-Add-SSL-TLS-version-info-to-the-access-.patch

Blob History Raw

		f92ce9	`From e7c71a8c3a361fa7cbf96a0c57723c74d044922a Mon Sep 17 00:00:00 2001`
		f92ce9	`From: Noriko Hosoi <nhosoi@redhat.com>`
		f92ce9	`Date: Mon, 10 Nov 2014 13:51:34 -0800`
		f92ce9	`Subject: [PATCH 27/28] Ticket #47945 - Add SSL/TLS version info to the access`
		f92ce9	`log`
		f92ce9
		f92ce9	`Description: Added the currently used SSL library version info per`
		f92ce9	`connection to the access log.`
		f92ce9	`Sample output:`
		f92ce9	`SSL`
		f92ce9	`[..] conn=3 fd=64 slot=64 SSL connection from ::1 to ::1`
		f92ce9	`[..] conn=3 TLS1.2 128-bit AES-GCM`
		f92ce9
		f92ce9	`startTLS`
		f92ce9	`[..] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"`
		f92ce9	`[..] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0`
		f92ce9	`[..] conn=4 TLS1.2 128-bit AES-GCM`
		f92ce9
		f92ce9	`To convert the SSL version number to string (e.g., SSL_LIBRARY_VERSION_`
		f92ce9	`TLS_1_2 --> "TLS1.2"), instead of maintaining a mapping table, this`
		f92ce9	`patch calculates the number and generates the version string.`
		f92ce9
		f92ce9	`https://fedorahosted.org/389/ticket/47945`
		f92ce9
		f92ce9	`Reviewed and adviced by rmeggins@redhat.com (Thanks a lot, Rich!!)`
		f92ce9
		f92ce9	`(cherry picked from commit a2e0de3aa90f04593427628afeb7fe090dac93fb)`
		f92ce9	`(cherry picked from commit 0d1087d0c4dc9b6af3a01776ae11e0977c447fb7)`
		f92ce9	`---`
		f92ce9	`ldap/servers/slapd/auth.c \| 85 +++++++++-------`
		f92ce9	`ldap/servers/slapd/slapi-private.h \| 19 ++++`
		f92ce9	`ldap/servers/slapd/ssl.c \| 194 ++++++++++++++++++++-----------------`
		f92ce9	`3 files changed, 174 insertions(+), 124 deletions(-)`
		f92ce9
		f92ce9	`diff --git a/ldap/servers/slapd/auth.c b/ldap/servers/slapd/auth.c`
		f92ce9	`index 5b7dc31..0219576 100644`
		f92ce9	`--- a/ldap/servers/slapd/auth.c`
		f92ce9	`+++ b/ldap/servers/slapd/auth.c`
		f92ce9	`@@ -430,9 +430,10 @@ handle_handshake_done (PRFileDesc prfd, void clientData)`
		f92ce9	`int keySize = 0;`
		f92ce9	`char* cipher = NULL;`
		f92ce9	`char* extraErrorMsg = "";`
		f92ce9	`- SSLChannelInfo channelInfo;`
		f92ce9	`- SSLCipherSuiteInfo cipherInfo;`
		f92ce9	`- char* subject = NULL;`
		f92ce9	`+ SSLChannelInfo channelInfo;`
		f92ce9	`+ SSLCipherSuiteInfo cipherInfo;`
		f92ce9	`+ char* subject = NULL;`
		f92ce9	`+ char sslversion[64];`
		f92ce9
		f92ce9	`if ( (slapd_ssl_getChannelInfo (prfd, &channelInfo, sizeof(channelInfo))) != SECSuccess ) {`
		f92ce9	`PRErrorCode errorCode = PR_GetError();`
		f92ce9	`@@ -460,38 +461,48 @@ handle_handshake_done (PRFileDesc prfd, void clientData)`
		f92ce9	`* to be enough, close the SSL connection. */`
		f92ce9	`if ( conn->c_flags & CONN_FLAG_START_TLS ) {`
		f92ce9	`if ( cipherInfo.symKeyBits == 0 ) {`
		f92ce9	`- start_tls_graceful_closure( conn, NULL, 1 );`
		f92ce9	`- goto done;`
		f92ce9	`- }`
		f92ce9	`+ start_tls_graceful_closure( conn, NULL, 1 );`
		f92ce9	`+ goto done;`
		f92ce9	`+ }`
		f92ce9	`}`
		f92ce9
		f92ce9	`if (config_get_SSLclientAuth() == SLAPD_SSLCLIENTAUTH_OFF ) {`
		f92ce9	`- slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n",`
		f92ce9	`- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL" );`
		f92ce9	`- goto done;`
		f92ce9	`- }`
		f92ce9	`+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion));`
		f92ce9	`+ slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n",`
		f92ce9	`+ (long long unsigned int)conn->c_connid,`
		f92ce9	`+ sslversion, keySize, cipher ? cipher : "NULL" );`
		f92ce9	`+ goto done;`
		f92ce9	`+ }`
		f92ce9	`if (clientCert == NULL) {`
		f92ce9	`- slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n",`
		f92ce9	`- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL" );`
		f92ce9	`+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion));`
		f92ce9	`+ slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n",`
		f92ce9	`+ (long long unsigned int)conn->c_connid,`
		f92ce9	`+ sslversion, keySize, cipher ? cipher : "NULL" );`
		f92ce9	`} else {`
		f92ce9	`- subject = subject_of (clientCert);`
		f92ce9	`- if (!subject) {`
		f92ce9	`- slapi_log_access( LDAP_DEBUG_STATS,`
		f92ce9	`- "conn=%" NSPRIu64 " SSL %i-bit %s; missing subject\n",`
		f92ce9	`- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL");`
		f92ce9	`- goto done;`
		f92ce9	`- }`
		f92ce9	`- {`
		f92ce9	`- char* issuer = issuer_of (clientCert);`
		f92ce9	`- char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ];`
		f92ce9	`- slapi_log_access( LDAP_DEBUG_STATS,`
		f92ce9	`- "conn=%" NSPRIu64 " SSL %i-bit %s; client %s; issuer %s\n",`
		f92ce9	`- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL",`
		f92ce9	`- subject ? escape_string( subject, sbuf ) : "NULL",`
		f92ce9	`- issuer ? escape_string( issuer, ibuf ) : "NULL");`
		f92ce9	`- if (issuer) free (issuer);`
		f92ce9	`- }`
		f92ce9	`- slapi_dn_normalize (subject);`
		f92ce9	`+ subject = subject_of (clientCert);`
		f92ce9	`+ if (!subject) {`
		f92ce9	`+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,`
		f92ce9	`+ sslversion, sizeof(sslversion));`
		f92ce9	`+ slapi_log_access( LDAP_DEBUG_STATS,`
		f92ce9	`+ "conn=%" NSPRIu64 " %s %i-bit %s; missing subject\n",`
		f92ce9	`+ (long long unsigned int)conn->c_connid,`
		f92ce9	`+ sslversion, keySize, cipher ? cipher : "NULL");`
		f92ce9	`+ goto done;`
		f92ce9	`+ }`
		f92ce9	`+ {`
		f92ce9	`+ char* issuer = issuer_of (clientCert);`
		f92ce9	`+ char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ];`
		f92ce9	`+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,`
		f92ce9	`+ sslversion, sizeof(sslversion));`
		f92ce9	`+ slapi_log_access( LDAP_DEBUG_STATS,`
		f92ce9	`+ "conn=%" NSPRIu64 " %s %i-bit %s; client %s; issuer %s\n",`
		f92ce9	`+ (long long unsigned int)conn->c_connid,`
		f92ce9	`+ sslversion, keySize, cipher ? cipher : "NULL",`
		f92ce9	`+ subject ? escape_string( subject, sbuf ) : "NULL",`
		f92ce9	`+ issuer ? escape_string( issuer, ibuf ) : "NULL");`
		f92ce9	`+ if (issuer) free (issuer);`
		f92ce9	`+ }`
		f92ce9	`+ slapi_dn_normalize (subject);`
		f92ce9	`{`
		f92ce9	`LDAPMessage* chain = NULL;`
		f92ce9	`char *basedn = config_get_basedn();`
		f92ce9	`@@ -525,14 +536,20 @@ handle_handshake_done (PRFileDesc prfd, void clientData)`
		f92ce9	`sdn = slapi_sdn_new_dn_passin(clientDN);`
		f92ce9	`clientDN = slapi_ch_strdup(slapi_sdn_get_dn(sdn));`
		f92ce9	`slapi_sdn_free(&sdn;;`
		f92ce9	`+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,`
		f92ce9	`+ sslversion, sizeof(sslversion));`
		f92ce9	`slapi_log_access (LDAP_DEBUG_STATS,`
		f92ce9	`- "conn=%" NSPRIu64 " SSL client bound as %s\n",`
		f92ce9	`- (long long unsigned int)conn->c_connid, clientDN);`
		f92ce9	`+ "conn=%" NSPRIu64 " %s client bound as %s\n",`
		f92ce9	`+ (long long unsigned int)conn->c_connid,`
		f92ce9	`+ sslversion, clientDN);`
		f92ce9	`} else if (clientCert != NULL) {`
		f92ce9	`+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,`
		f92ce9	`+ sslversion, sizeof(sslversion));`
		f92ce9	`slapi_log_access (LDAP_DEBUG_STATS,`
		f92ce9	`- "conn=%" NSPRIu64 " SSL failed to map client "`
		f92ce9	`+ "conn=%" NSPRIu64 " %s failed to map client "`
		f92ce9	`"certificate to LDAP DN (%s)\n",`
		f92ce9	`- (long long unsigned int)conn->c_connid, extraErrorMsg );`
		f92ce9	`+ (long long unsigned int)conn->c_connid,`
		f92ce9	`+ sslversion, extraErrorMsg);`
		f92ce9	`}`
		f92ce9
		f92ce9	`/*`
		f92ce9	`diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h`
		f92ce9	`index a8d7738..921c397 100644`
		f92ce9	`--- a/ldap/servers/slapd/slapi-private.h`
		f92ce9	`+++ b/ldap/servers/slapd/slapi-private.h`
		f92ce9	`@@ -1336,6 +1336,25 @@ void add_internal_modifiersname(Slapi_PBlock pb, Slapi_Entry e);`
		f92ce9	`/* ldaputil.c */`
		f92ce9	`char *ldaputil_get_saslpath();`
		f92ce9
		f92ce9	`+/* ssl.c */`
		f92ce9	`+/*`
		f92ce9	`+ * If non NULL buf and positive bufsize is given,`
		f92ce9	`+ * the memory is used to store the version string.`
		f92ce9	`+ * Otherwise, the memory for the string is allocated.`
		f92ce9	`+ * The latter case, caller is responsible to free it.`
		f92ce9	`+ */`
		f92ce9	`+/* vnum is supposed to be in one of the following:`
		f92ce9	`+ * nss3/sslproto.h`
		f92ce9	`+ * #define SSL_LIBRARY_VERSION_2 0x0002`
		f92ce9	`+ * #define SSL_LIBRARY_VERSION_3_0 0x0300`
		f92ce9	`+ * #define SSL_LIBRARY_VERSION_TLS_1_0 0x0301`
		f92ce9	`+ * #define SSL_LIBRARY_VERSION_TLS_1_1 0x0302`
		f92ce9	`+ * #define SSL_LIBRARY_VERSION_TLS_1_2 0x0303`
		f92ce9	`+ * #define SSL_LIBRARY_VERSION_TLS_1_3 0x0304`
		f92ce9	`+ * ...`
		f92ce9	`+ */`
		f92ce9	`+char slapi_getSSLVersion_str(PRUint16 vnum, char buf, size_t bufsize);`
		f92ce9	`+`
		f92ce9	`#ifdef __cplusplus`
		f92ce9	`}`
		f92ce9	`#endif`
		f92ce9	`diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c`
		f92ce9	`index f81d1fb..5d6919a 100644`
		f92ce9	`--- a/ldap/servers/slapd/ssl.c`
		f92ce9	`+++ b/ldap/servers/slapd/ssl.c`
		f92ce9	`@@ -99,7 +99,6 @@ extern symbol_t supported_ciphers[];`
		f92ce9	`#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */`
		f92ce9	`static SSLVersionRange enabledNSSVersions;`
		f92ce9	`static SSLVersionRange slapdNSSVersions;`
		f92ce9	`-static char *getNSSVersion_str(PRUint16 vnum);`
		f92ce9	`#endif`
		f92ce9
		f92ce9	`/* dongle_file_name is set in slapd_nss_init when we set the path for the`
		f92ce9	`@@ -246,6 +245,9 @@ static lookup_cipher _lookup_cipher[] = {`
		f92ce9	`{NULL, NULL}`
		f92ce9	`};`
		f92ce9
		f92ce9	`+/* E.g., "SSL3", "TLS1.2", "Unknown SSL version: 0x0" */`
		f92ce9	`+#define VERSION_STR_LENGTH 64`
		f92ce9	`+`
		f92ce9	`/* Supported SSL versions */`
		f92ce9	`/* nsSSL2: on -- we don't allow this any more. */`
		f92ce9	`PRBool enableSSL2 = PR_FALSE;`
		f92ce9	`@@ -418,8 +420,8 @@ getSSLVersionRange(char min, char max)`
		f92ce9	`#if defined(NSS_TLS10)`
		f92ce9	`return -1; /* not supported */`
		f92ce9	`#else /* NSS_TLS11 or newer */`
		f92ce9	`- *min = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.min));`
		f92ce9	`- *max = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.max));`
		f92ce9	`+ *min = slapi_getSSLVersion_str(slapdNSSVersions.min, NULL, 0);`
		f92ce9	`+ *max = slapi_getSSLVersion_str(slapdNSSVersions.max, NULL, 0);`
		f92ce9	`return 0;`
		f92ce9	`#endif`
		f92ce9	`}`
		f92ce9	`@@ -854,34 +856,48 @@ warn_if_no_key_file(const char *dir, int no_log)`
		f92ce9	`}`
		f92ce9
		f92ce9	`#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */`
		f92ce9	`-typedef struct _nss_version_list {`
		f92ce9	`- PRUint16 vnum;`
		f92ce9	`- char* vname;`
		f92ce9	`-} NSSVersion_list;`
		f92ce9	`-NSSVersion_list _NSSVersion_list[] =`
		f92ce9	`-{`
		f92ce9	`- {SSL_LIBRARY_VERSION_2, "SSL2"},`
		f92ce9	`- {SSL_LIBRARY_VERSION_3_0, "SSL3"},`
		f92ce9	`- {SSL_LIBRARY_VERSION_TLS_1_0, "TLS1.0"},`
		f92ce9	`- {SSL_LIBRARY_VERSION_TLS_1_1, "TLS1.1"},`
		f92ce9	`-#if defined(NSS_TLS12)`
		f92ce9	`- {SSL_LIBRARY_VERSION_TLS_1_2, "TLS1.2"},`
		f92ce9	`-#endif`
		f92ce9	`- {0, "unknown"}`
		f92ce9	`-};`
		f92ce9	`-`
		f92ce9	`-static char *`
		f92ce9	`-getNSSVersion_str(PRUint16 vnum)`
		f92ce9	`+/*`
		f92ce9	`+ * If non NULL buf and positive bufsize is given,`
		f92ce9	`+ * the memory is used to store the version string.`
		f92ce9	`+ * Otherwise, the memory for the string is allocated.`
		f92ce9	`+ * The latter case, caller is responsible to free it.`
		f92ce9	`+ */`
		f92ce9	`+char *`
		f92ce9	`+slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize)`
		f92ce9	`{`
		f92ce9	`- NSSVersion_list *nvlp = NULL;`
		f92ce9	`- char *vstr = "none";`
		f92ce9	`- if (vnum) {`
		f92ce9	`- for (nvlp = _NSSVersion_list; nvlp && nvlp->vnum; nvlp++) {`
		f92ce9	`- if (nvlp->vnum == vnum) {`
		f92ce9	`- vstr = nvlp->vname;`
		f92ce9	`- break;`
		f92ce9	`+ char *vstr = buf;`
		f92ce9	`+ if (vnum >= SSL_LIBRARY_VERSION_3_0) {`
		f92ce9	`+ if (vnum == SSL_LIBRARY_VERSION_3_0) { /* SSL3 */`
		f92ce9	`+ if (buf && bufsize) {`
		f92ce9	`+ PR_snprintf(buf, bufsize, "SSL3");`
		f92ce9	`+ } else {`
		f92ce9	`+ vstr = slapi_ch_smprintf("SSL3");`
		f92ce9	`+ }`
		f92ce9	`+ } else { /* TLS v X.Y */`
		f92ce9	`+ const char *TLSFMT = "TLS%d.%d";`
		f92ce9	`+ int minor_offset = 0; /* e.g. 0x0401 -> TLS v 2.1, not 2.0 */`
		f92ce9	`+`
		f92ce9	`+ if ((vnum & SSL_LIBRARY_VERSION_3_0) == SSL_LIBRARY_VERSION_3_0) {`
		f92ce9	`+ minor_offset = 1; /* e.g. 0x0301 -> TLS v 1.0, not 1.1 */`
		f92ce9	`+ }`
		f92ce9	`+ if (buf && bufsize) {`
		f92ce9	`+ PR_snprintf(buf, bufsize, TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset);`
		f92ce9	`+ } else {`
		f92ce9	`+ vstr = slapi_ch_smprintf(TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset);`
		f92ce9	`}`
		f92ce9	`}`
		f92ce9	`+ } else if (vnum == SSL_LIBRARY_VERSION_2) { /* SSL2 */`
		f92ce9	`+ if (buf && bufsize) {`
		f92ce9	`+ PR_snprintf(buf, bufsize, "SSL2");`
		f92ce9	`+ } else {`
		f92ce9	`+ vstr = slapi_ch_smprintf("SSL2");`
		f92ce9	`+ }`
		f92ce9	`+ } else {`
		f92ce9	`+ if (buf && bufsize) {`
		f92ce9	`+ PR_snprintf(buf, bufsize, "Unknown SSL version: 0x%x", vnum);`
		f92ce9	`+ } else {`
		f92ce9	`+ vstr = slapi_ch_smprintf("Unknown SSL version: 0x%x", vnum);`
		f92ce9	`+ }`
		f92ce9	`}`
		f92ce9	`return vstr;`
		f92ce9	`}`
		f92ce9	`@@ -895,12 +911,16 @@ getNSSVersion_str(PRUint16 vnum)`
		f92ce9	`static void`
		f92ce9	`restrict_SSLVersionRange(void)`
		f92ce9	`{`
		f92ce9	`+ char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];`
		f92ce9	`+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];`
		f92ce9	`+ (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));`
		f92ce9	`+ (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));`
		f92ce9	`+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));`
		f92ce9	`+ (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));`
		f92ce9	`if (slapdNSSVersions.min > slapdNSSVersions.max) {`
		f92ce9	`slapd_SSL_warn("Invalid configured SSL range: min: %s, max: %s; "`
		f92ce9	`"Resetting the max to the supported max SSL version: %s.",`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.max),`
		f92ce9	`- getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`+ mymin, mymax, emax);`
		f92ce9	`slapdNSSVersions.max = enabledNSSVersions.max;`
		f92ce9	`}`
		f92ce9	`if (enableSSL3) {`
		f92ce9	`@@ -911,17 +931,14 @@ restrict_SSLVersionRange(void)`
		f92ce9	`slapd_SSL_warn("Configured range: min: %s, max: %s; "`
		f92ce9	`"but both nsSSL3 and nsTLS1 are on. "`
		f92ce9	`"Respect the supported range.",`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.max));`
		f92ce9	`+ mymin, mymax);`
		f92ce9	`enableSSL3 = PR_FALSE;`
		f92ce9	`}`
		f92ce9	`if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {`
		f92ce9	`slapd_SSL_warn("Configured range: min: %s, max: %s; "`
		f92ce9	`"but both nsSSL3 and nsTLS1 are on. "`
		f92ce9	`"Resetting the max to the supported max SSL version: %s.",`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.max),`
		f92ce9	`- getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`+ mymin, mymax, emax);`
		f92ce9	`slapdNSSVersions.max = enabledNSSVersions.max;`
		f92ce9	`}`
		f92ce9	`} else {`
		f92ce9	`@@ -930,8 +947,7 @@ restrict_SSLVersionRange(void)`
		f92ce9	`slapd_SSL_warn("Supported range: min: %s, max: %s; "`
		f92ce9	`"but nsSSL3 is on and nsTLS1 is off. "`
		f92ce9	`"Respect the supported range.",`
		f92ce9	`- getNSSVersion_str(enabledNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`+ emin, emax);`
		f92ce9	`slapdNSSVersions.min = SSLVGreater(slapdNSSVersions.min, enabledNSSVersions.min);`
		f92ce9	`enableSSL3 = PR_FALSE;`
		f92ce9	`enableTLS1 = PR_TRUE;`
		f92ce9	`@@ -939,19 +955,13 @@ restrict_SSLVersionRange(void)`
		f92ce9	`slapd_SSL_warn("Configured range: min: %s, max: %s; "`
		f92ce9	`"but nsSSL3 is on and nsTLS1 is off. "`
		f92ce9	`"Respect the configured range.",`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.max));`
		f92ce9	`+ mymin, mymax);`
		f92ce9	`enableSSL3 = PR_FALSE;`
		f92ce9	`enableTLS1 = PR_TRUE;`
		f92ce9	`} else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {`
		f92ce9	`slapd_SSL_warn("Too low configured range: min: %s, max: %s; "`
		f92ce9	`- "Resetting the range to: min: %s, max: %s.",`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.max),`
		f92ce9	`- getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0),`
		f92ce9	`- getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0));`
		f92ce9	`- slapdNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;`
		f92ce9	`- slapdNSSVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;`
		f92ce9	`+ "We strongly recommend to set sslVersionMax higher than %s.",`
		f92ce9	`+ mymin, mymax, emax);`
		f92ce9	`} else {`
		f92ce9	`/*`
		f92ce9	`* slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&`
		f92ce9	`@@ -960,8 +970,7 @@ restrict_SSLVersionRange(void)`
		f92ce9	`slapd_SSL_warn("Configured range: min: %s, max: %s; "`
		f92ce9	`"but nsSSL3 is on and nsTLS1 is off. "`
		f92ce9	`"Respect the configured range.",`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.max));`
		f92ce9	`+ mymin, mymax);`
		f92ce9	`enableTLS1 = PR_TRUE;`
		f92ce9	`}`
		f92ce9	`}`
		f92ce9	`@@ -971,8 +980,7 @@ restrict_SSLVersionRange(void)`
		f92ce9	`/* TLS1 is on, but TLS1 is not supported by NSS. */`
		f92ce9	`slapd_SSL_warn("Supported range: min: %s, max: %s; "`
		f92ce9	`"Setting the version range based upon the supported range.",`
		f92ce9	`- getNSSVersion_str(enabledNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`+ emin, emax);`
		f92ce9	`slapdNSSVersions.max = enabledNSSVersions.max;`
		f92ce9	`slapdNSSVersions.min = enabledNSSVersions.min;`
		f92ce9	`enableSSL3 = PR_TRUE;`
		f92ce9	`@@ -983,8 +991,7 @@ restrict_SSLVersionRange(void)`
		f92ce9	`slapdNSSVersions.min = SSLVGreater(SSL_LIBRARY_VERSION_TLS_1_1, enabledNSSVersions.min);`
		f92ce9	`slapd_SSL_warn("Default SSL Version settings; "`
		f92ce9	`"Configuring the version range as min: %s, max: %s; ",`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.max));`
		f92ce9	`+ mymin, mymax);`
		f92ce9	`} else {`
		f92ce9	`/*`
		f92ce9	`* slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_1 &&`
		f92ce9	`@@ -995,8 +1002,7 @@ restrict_SSLVersionRange(void)`
		f92ce9	`} else {`
		f92ce9	`slapd_SSL_warn("Supported range: min: %s, max: %s; "`
		f92ce9	`"Respect the configured range.",`
		f92ce9	`- getNSSVersion_str(enabledNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`+ emin, emax);`
		f92ce9	`/* nsTLS1 is explicitly set to off. */`
		f92ce9	`if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {`
		f92ce9	`enableTLS1 = PR_TRUE;`
		f92ce9	`@@ -1040,13 +1046,15 @@ slapd_nss_init(int init_ssl, int config_available)`
		f92ce9	`char *keydb_file_name = NULL;`
		f92ce9	`char *secmoddb_file_name = NULL;`
		f92ce9	`#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */`
		f92ce9	`+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];`
		f92ce9	`/* Get the range of the supported SSL version */`
		f92ce9	`SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);`
		f92ce9
		f92ce9	`+ (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));`
		f92ce9	`+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));`
		f92ce9	`slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization",`
		f92ce9	`"supported range by NSS: min: %s, max: %s\n",`
		f92ce9	`- getNSSVersion_str(enabledNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`+ emin, emax);`
		f92ce9	`#endif`
		f92ce9
		f92ce9	`/* set in slapd_bootstrap_config,`
		f92ce9	`@@ -1351,34 +1359,37 @@ set_NSS_version(char val, PRUint16 rval, int ismin)`
		f92ce9	`{`
		f92ce9	`char vp, endp;`
		f92ce9	`int vnum;`
		f92ce9	`+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];`
		f92ce9
		f92ce9	`if (NULL == rval) {`
		f92ce9	`return 1;`
		f92ce9	`}`
		f92ce9	`+ (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));`
		f92ce9	`+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));`
		f92ce9	`if (!strncasecmp(val, SSLSTR, SSLLEN)) { /* ssl# */`
		f92ce9	`vp = val + SSLLEN;`
		f92ce9	`vnum = strtol(vp, &endp, 10);`
		f92ce9	`if (2 == vnum) {`
		f92ce9	`if (ismin) {`
		f92ce9	`if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_2) {`
		f92ce9	`- slapd_SSL_warn("Security Initialization: The value of sslVersionMin "`
		f92ce9	`- "\"%s\" is lower than the supported version; "`
		f92ce9	`- "the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.min));`
		f92ce9	`- (*rval) = enabledNSSVersions.min;`
		f92ce9	`+ slapd_SSL_warn("Security Initialization: The value of sslVersionMin "`
		f92ce9	`+ "\"%s\" is lower than the supported version; "`
		f92ce9	`+ "the default value \"%s\" is used.",`
		f92ce9	`+ val, emin);`
		f92ce9	`+ (*rval) = enabledNSSVersions.min;`
		f92ce9	`} else {`
		f92ce9	`- (*rval) = SSL_LIBRARY_VERSION_2;`
		f92ce9	`+ (*rval) = SSL_LIBRARY_VERSION_2;`
		f92ce9	`}`
		f92ce9	`} else {`
		f92ce9	`if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_2) {`
		f92ce9	`/* never happens */`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMax "`
		f92ce9	`- "\"%s\" is higher than the supported version; "`
		f92ce9	`- "the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`- (*rval) = enabledNSSVersions.max;`
		f92ce9	`+ "\"%s\" is higher than the supported version; "`
		f92ce9	`+ "the default value \"%s\" is used.",`
		f92ce9	`+ val, emax);`
		f92ce9	`+ (*rval) = enabledNSSVersions.max;`
		f92ce9	`} else {`
		f92ce9	`- (*rval) = SSL_LIBRARY_VERSION_2;`
		f92ce9	`+ (*rval) = SSL_LIBRARY_VERSION_2;`
		f92ce9	`}`
		f92ce9	`}`
		f92ce9	`} else if (3 == vnum) {`
		f92ce9	`@@ -1387,7 +1398,7 @@ set_NSS_version(char val, PRUint16 rval, int ismin)`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMin "`
		f92ce9	`"\"%s\" is lower than the supported version; "`
		f92ce9	`"the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.min));`
		f92ce9	`+ val, emin);`
		f92ce9	`(*rval) = enabledNSSVersions.min;`
		f92ce9	`} else {`
		f92ce9	`(*rval) = SSL_LIBRARY_VERSION_3_0;`
		f92ce9	`@@ -1398,7 +1409,7 @@ set_NSS_version(char val, PRUint16 rval, int ismin)`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMax "`
		f92ce9	`"\"%s\" is higher than the supported version; "`
		f92ce9	`"the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`+ val, emax);`
		f92ce9	`(*rval) = enabledNSSVersions.max;`
		f92ce9	`} else {`
		f92ce9	`(*rval) = SSL_LIBRARY_VERSION_3_0;`
		f92ce9	`@@ -1408,12 +1419,12 @@ set_NSS_version(char val, PRUint16 rval, int ismin)`
		f92ce9	`if (ismin) {`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMin "`
		f92ce9	`"\"%s\" is invalid; the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.min));`
		f92ce9	`+ val, emin);`
		f92ce9	`(*rval) = enabledNSSVersions.min;`
		f92ce9	`} else {`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMax "`
		f92ce9	`"\"%s\" is invalid; the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`+ val, emax);`
		f92ce9	`(*rval) = enabledNSSVersions.max;`
		f92ce9	`}`
		f92ce9	`}`
		f92ce9	`@@ -1427,7 +1438,7 @@ set_NSS_version(char val, PRUint16 rval, int ismin)`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMin "`
		f92ce9	`"\"%s\" is lower than the supported version; "`
		f92ce9	`"the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.min));`
		f92ce9	`+ val, emin);`
		f92ce9	`(*rval) = enabledNSSVersions.min;`
		f92ce9	`} else {`
		f92ce9	`(*rval) = SSL_LIBRARY_VERSION_TLS_1_0;`
		f92ce9	`@@ -1438,7 +1449,7 @@ set_NSS_version(char val, PRUint16 rval, int ismin)`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMax "`
		f92ce9	`"\"%s\" is higher than the supported version; "`
		f92ce9	`"the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`+ val, emax);`
		f92ce9	`(*rval) = enabledNSSVersions.max;`
		f92ce9	`} else {`
		f92ce9	`(*rval) = SSL_LIBRARY_VERSION_TLS_1_0;`
		f92ce9	`@@ -1450,7 +1461,7 @@ set_NSS_version(char val, PRUint16 rval, int ismin)`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMin "`
		f92ce9	`"\"%s\" is lower than the supported version; "`
		f92ce9	`"the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.min));`
		f92ce9	`+ val, emin);`
		f92ce9	`(*rval) = enabledNSSVersions.min;`
		f92ce9	`} else {`
		f92ce9	`(*rval) = SSL_LIBRARY_VERSION_TLS_1_1;`
		f92ce9	`@@ -1461,7 +1472,7 @@ set_NSS_version(char val, PRUint16 rval, int ismin)`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMax "`
		f92ce9	`"\"%s\" is higher than the supported version; "`
		f92ce9	`"the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`+ val, emax);`
		f92ce9	`(*rval) = enabledNSSVersions.max;`
		f92ce9	`} else {`
		f92ce9	`(*rval) = SSL_LIBRARY_VERSION_TLS_1_1;`
		f92ce9	`@@ -1474,7 +1485,7 @@ set_NSS_version(char val, PRUint16 rval, int ismin)`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMin "`
		f92ce9	`"\"%s\" is lower than the supported version; "`
		f92ce9	`"the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.min));`
		f92ce9	`+ val, emin);`
		f92ce9	`(*rval) = enabledNSSVersions.min;`
		f92ce9	`} else {`
		f92ce9	`(*rval) = SSL_LIBRARY_VERSION_TLS_1_2;`
		f92ce9	`@@ -1485,7 +1496,7 @@ set_NSS_version(char val, PRUint16 rval, int ismin)`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMax "`
		f92ce9	`"\"%s\" is higher than the supported version; "`
		f92ce9	`"the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`+ val, emax);`
		f92ce9	`(*rval) = enabledNSSVersions.max;`
		f92ce9	`} else {`
		f92ce9	`(*rval) = SSL_LIBRARY_VERSION_TLS_1_2;`
		f92ce9	`@@ -1497,13 +1508,13 @@ set_NSS_version(char val, PRUint16 rval, int ismin)`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMin "`
		f92ce9	`"\"%s\" is out of the range of the supported version; "`
		f92ce9	`"the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.min));`
		f92ce9	`+ val, emin);`
		f92ce9	`(*rval) = enabledNSSVersions.min;`
		f92ce9	`} else {`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMax "`
		f92ce9	`"\"%s\" is out of the range of the supported version; "`
		f92ce9	`"the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.min));`
		f92ce9	`+ val, emax);`
		f92ce9	`(*rval) = enabledNSSVersions.max;`
		f92ce9	`}`
		f92ce9	`}`
		f92ce9	`@@ -1511,12 +1522,12 @@ set_NSS_version(char val, PRUint16 rval, int ismin)`
		f92ce9	`if (ismin) {`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMin "`
		f92ce9	`"\"%s\" is invalid; the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.min));`
		f92ce9	`+ val, emin);`
		f92ce9	`(*rval) = enabledNSSVersions.min;`
		f92ce9	`} else {`
		f92ce9	`slapd_SSL_warn("Security Initialization: The value of sslVersionMax "`
		f92ce9	`"\"%s\" is invalid; the default value \"%s\" is used.",`
		f92ce9	`- val, getNSSVersion_str(enabledNSSVersions.min));`
		f92ce9	`+ val, emax);`
		f92ce9	`(*rval) = enabledNSSVersions.max;`
		f92ce9	`}`
		f92ce9	`}`
		f92ce9	`@@ -1549,6 +1560,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)`
		f92ce9	`#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */`
		f92ce9	`PRUint16 NSSVersionMin = enabledNSSVersions.min;`
		f92ce9	`PRUint16 NSSVersionMax = enabledNSSVersions.max;`
		f92ce9	`+ char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];`
		f92ce9	`+ char newmax[VERSION_STR_LENGTH];`
		f92ce9	`#endif`
		f92ce9	`char cipher_string[1024];`
		f92ce9	`int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;`
		f92ce9	`@@ -1909,12 +1922,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)`
		f92ce9	`}`
		f92ce9	`slapi_ch_free_string( &val );`
		f92ce9	`if (NSSVersionMin > NSSVersionMax) {`
		f92ce9	`+ (void) slapi_getSSLVersion_str(NSSVersionMin, mymin, sizeof(mymin));`
		f92ce9	`+ (void) slapi_getSSLVersion_str(NSSVersionMax, mymax, sizeof(mymax));`
		f92ce9	`slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\".",`
		f92ce9	`- getNSSVersion_str(NSSVersionMin),`
		f92ce9	`- getNSSVersion_str(NSSVersionMax));`
		f92ce9	`+ mymin, mymax);`
		f92ce9	`+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, newmax, sizeof(newmax));`
		f92ce9	`slapd_SSL_warn("Reset the max \"%s\" to supported max \"%s\".",`
		f92ce9	`- getNSSVersion_str(NSSVersionMax),`
		f92ce9	`- getNSSVersion_str(enabledNSSVersions.max));`
		f92ce9	`+ mymax, newmax);`
		f92ce9	`NSSVersionMax = enabledNSSVersions.max;`
		f92ce9	`}`
		f92ce9	`#endif`
		f92ce9	`@@ -1925,18 +1939,18 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)`
		f92ce9	`slapdNSSVersions.min = NSSVersionMin;`
		f92ce9	`slapdNSSVersions.max = NSSVersionMax;`
		f92ce9	`restrict_SSLVersionRange();`
		f92ce9	`+ (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));`
		f92ce9	`+ (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));`
		f92ce9	`slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",`
		f92ce9	`"Configured SSL version range: min: %s, max: %s\n",`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.max));`
		f92ce9	`+ mymin, mymax);`
		f92ce9	`sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);`
		f92ce9	`if (sslStatus == SECSuccess) {`
		f92ce9	`/* Set the restricted value to the cn=encryption entry */`
		f92ce9	`} else {`
		f92ce9	`slapd_SSL_error("SSL Initialization 2: "`
		f92ce9	`"Failed to set SSL range: min: %s, max: %s\n",`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.min),`
		f92ce9	`- getNSSVersion_str(slapdNSSVersions.max));`
		f92ce9	`+ mymin, mymax);`
		f92ce9	`}`
		f92ce9	`} else {`
		f92ce9	`#endif`
		f92ce9	`--`
		f92ce9	`1.9.3`
		f92ce9

rpms / 389-ds-base

Source Code

Blame SOURCES/0027-Ticket-47945-Add-SSL-TLS-version-info-to-the-access-.patch