From dd2dc9218ec91589f03c89f4f38fe2927bf5e3ab Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Wed, 10 Sep 2014 18:56:43 -0700
Subject: [PATCH 6/7] Ticket #47895 - If no effective ciphers are available,
disable security setting.
Description: If nsslapd-security is "on" and nsSSL3Ciphers is given
AND none of the ciphers are available or some syntax error is detected,
the server sets nsslapd-security "off" and starts up.
https://fedorahosted.org/389/ticket/47895
Reviewed by nkinder@redhat.com (Thank you, Nathan!!)
(cherry picked from commit 0f1a203a0fe85f3cf0440006685f63409502f093)
(cherry picked from commit cad5b96507caf9e08a12285c52d0353f8e6dcc3b)
---
ldap/servers/slapd/main.c | 42 ++++++++++++++++++++++++++++++------------
1 file changed, 30 insertions(+), 12 deletions(-)
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index d577514..6bad2a0 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -3077,6 +3077,24 @@ slapd_debug_level_usage( void )
}
#endif /* LDAP_DEBUG */
+static int
+force_to_disable_security(const char *what, int *init_ssl, daemon_ports_t *ports_info)
+{
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
+ errorbuf[0] = '\0';
+
+ LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: %s Initialization Failed. Disabling %s.\n", what, what);
+ ports_info->s_socket = SLAPD_INVALID_SOCKET;
+ ports_info->s_port = 0;
+ *init_ssl = 0;
+ if (config_set_security(CONFIG_SECURITY_ATTRIBUTE, "off", errorbuf, 1)) {
+ LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: Failed to disable %s: \"%s\".\n",
+ CONFIG_SECURITY_ATTRIBUTE, errorbuf[0]?errorbuf:"no error message");
+ return 1;
+ }
+ return 0;
+}
+
/*
This function does all NSS and SSL related initialization
required during startup. We use this function rather
@@ -3113,20 +3131,20 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt,
* modules can assume NSS is available
*/
if ( slapd_nss_init((slapd_exemode == SLAPD_EXEMODE_SLAPD),
- (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {
- LDAPDebug(LDAP_DEBUG_ANY,
- "ERROR: NSS Initialization Failed.\n", 0, 0, 0);
- return 1;
+ (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {
+ if (force_to_disable_security("NSS", &init_ssl, ports_info)) {
+ return 1;
+ }
}
if (slapd_exemode == SLAPD_EXEMODE_SLAPD) {
client_auth_init();
}
- if ( init_ssl && ( 0 != slapd_ssl_init())) {
- LDAPDebug(LDAP_DEBUG_ANY,
- "ERROR: SSL Initialization Failed.\n", 0, 0, 0 );
- return 1;
+ if (init_ssl && slapd_ssl_init()) {
+ if (force_to_disable_security("SSL", &init_ssl, ports_info)) {
+ return 1;
+ }
}
if ((slapd_exemode == SLAPD_EXEMODE_SLAPD) ||
@@ -3134,10 +3152,10 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt,
if ( init_ssl ) {
PRFileDesc **sock;
for (sock = ports_info->s_socket; sock && *sock; sock++) {
- if ( 0 != slapd_ssl_init2(sock, 0) ) {
- LDAPDebug(LDAP_DEBUG_ANY,
- "ERROR: SSL Initialization phase 2 Failed.\n", 0, 0, 0 );
- return 1;
+ if ( slapd_ssl_init2(sock, 0) ) {
+ if (force_to_disable_security("SSL2", &init_ssl, ports_info)) {
+ return 1;
+ }
}
}
}
--
1.9.3