From e7c71a8c3a361fa7cbf96a0c57723c74d044922a Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Mon, 10 Nov 2014 13:51:34 -0800
Subject: [PATCH 27/28] Ticket #47945 - Add SSL/TLS version info to the access
log
Description: Added the currently used SSL library version info per
connection to the access log.
Sample output:
SSL
[..] conn=3 fd=64 slot=64 SSL connection from ::1 to ::1
[..] conn=3 TLS1.2 128-bit AES-GCM
startTLS
[..] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[..] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[..] conn=4 TLS1.2 128-bit AES-GCM
To convert the SSL version number to string (e.g., SSL_LIBRARY_VERSION_
TLS_1_2 --> "TLS1.2"), instead of maintaining a mapping table, this
patch calculates the number and generates the version string.
https://fedorahosted.org/389/ticket/47945
Reviewed and adviced by rmeggins@redhat.com (Thanks a lot, Rich!!)
(cherry picked from commit a2e0de3aa90f04593427628afeb7fe090dac93fb)
(cherry picked from commit 0d1087d0c4dc9b6af3a01776ae11e0977c447fb7)
---
ldap/servers/slapd/auth.c | 85 +++++++++-------
ldap/servers/slapd/slapi-private.h | 19 ++++
ldap/servers/slapd/ssl.c | 194 ++++++++++++++++++++-----------------
3 files changed, 174 insertions(+), 124 deletions(-)
diff --git a/ldap/servers/slapd/auth.c b/ldap/servers/slapd/auth.c
index 5b7dc31..0219576 100644
--- a/ldap/servers/slapd/auth.c
+++ b/ldap/servers/slapd/auth.c
@@ -430,9 +430,10 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
int keySize = 0;
char* cipher = NULL;
char* extraErrorMsg = "";
- SSLChannelInfo channelInfo;
- SSLCipherSuiteInfo cipherInfo;
- char* subject = NULL;
+ SSLChannelInfo channelInfo;
+ SSLCipherSuiteInfo cipherInfo;
+ char* subject = NULL;
+ char sslversion[64];
if ( (slapd_ssl_getChannelInfo (prfd, &channelInfo, sizeof(channelInfo))) != SECSuccess ) {
PRErrorCode errorCode = PR_GetError();
@@ -460,38 +461,48 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
* to be enough, close the SSL connection. */
if ( conn->c_flags & CONN_FLAG_START_TLS ) {
if ( cipherInfo.symKeyBits == 0 ) {
- start_tls_graceful_closure( conn, NULL, 1 );
- goto done;
- }
+ start_tls_graceful_closure( conn, NULL, 1 );
+ goto done;
+ }
}
if (config_get_SSLclientAuth() == SLAPD_SSLCLIENTAUTH_OFF ) {
- slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n",
- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL" );
- goto done;
- }
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion));
+ slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL" );
+ goto done;
+ }
if (clientCert == NULL) {
- slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n",
- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL" );
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion));
+ slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL" );
} else {
- subject = subject_of (clientCert);
- if (!subject) {
- slapi_log_access( LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL %i-bit %s; missing subject\n",
- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL");
- goto done;
- }
- {
- char* issuer = issuer_of (clientCert);
- char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ];
- slapi_log_access( LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL %i-bit %s; client %s; issuer %s\n",
- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL",
- subject ? escape_string( subject, sbuf ) : "NULL",
- issuer ? escape_string( issuer, ibuf ) : "NULL");
- if (issuer) free (issuer);
- }
- slapi_dn_normalize (subject);
+ subject = subject_of (clientCert);
+ if (!subject) {
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
+ sslversion, sizeof(sslversion));
+ slapi_log_access( LDAP_DEBUG_STATS,
+ "conn=%" NSPRIu64 " %s %i-bit %s; missing subject\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL");
+ goto done;
+ }
+ {
+ char* issuer = issuer_of (clientCert);
+ char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ];
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
+ sslversion, sizeof(sslversion));
+ slapi_log_access( LDAP_DEBUG_STATS,
+ "conn=%" NSPRIu64 " %s %i-bit %s; client %s; issuer %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL",
+ subject ? escape_string( subject, sbuf ) : "NULL",
+ issuer ? escape_string( issuer, ibuf ) : "NULL");
+ if (issuer) free (issuer);
+ }
+ slapi_dn_normalize (subject);
{
LDAPMessage* chain = NULL;
char *basedn = config_get_basedn();
@@ -525,14 +536,20 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
sdn = slapi_sdn_new_dn_passin(clientDN);
clientDN = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
slapi_sdn_free(&sdn);
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
+ sslversion, sizeof(sslversion));
slapi_log_access (LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL client bound as %s\n",
- (long long unsigned int)conn->c_connid, clientDN);
+ "conn=%" NSPRIu64 " %s client bound as %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, clientDN);
} else if (clientCert != NULL) {
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
+ sslversion, sizeof(sslversion));
slapi_log_access (LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL failed to map client "
+ "conn=%" NSPRIu64 " %s failed to map client "
"certificate to LDAP DN (%s)\n",
- (long long unsigned int)conn->c_connid, extraErrorMsg );
+ (long long unsigned int)conn->c_connid,
+ sslversion, extraErrorMsg);
}
/*
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index a8d7738..921c397 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -1336,6 +1336,25 @@ void add_internal_modifiersname(Slapi_PBlock *pb, Slapi_Entry *e);
/* ldaputil.c */
char *ldaputil_get_saslpath();
+/* ssl.c */
+/*
+ * If non NULL buf and positive bufsize is given,
+ * the memory is used to store the version string.
+ * Otherwise, the memory for the string is allocated.
+ * The latter case, caller is responsible to free it.
+ */
+/* vnum is supposed to be in one of the following:
+ * nss3/sslproto.h
+ * #define SSL_LIBRARY_VERSION_2 0x0002
+ * #define SSL_LIBRARY_VERSION_3_0 0x0300
+ * #define SSL_LIBRARY_VERSION_TLS_1_0 0x0301
+ * #define SSL_LIBRARY_VERSION_TLS_1_1 0x0302
+ * #define SSL_LIBRARY_VERSION_TLS_1_2 0x0303
+ * #define SSL_LIBRARY_VERSION_TLS_1_3 0x0304
+ * ...
+ */
+char *slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize);
+
#ifdef __cplusplus
}
#endif
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index f81d1fb..5d6919a 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -99,7 +99,6 @@ extern symbol_t supported_ciphers[];
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
static SSLVersionRange enabledNSSVersions;
static SSLVersionRange slapdNSSVersions;
-static char *getNSSVersion_str(PRUint16 vnum);
#endif
/* dongle_file_name is set in slapd_nss_init when we set the path for the
@@ -246,6 +245,9 @@ static lookup_cipher _lookup_cipher[] = {
{NULL, NULL}
};
+/* E.g., "SSL3", "TLS1.2", "Unknown SSL version: 0x0" */
+#define VERSION_STR_LENGTH 64
+
/* Supported SSL versions */
/* nsSSL2: on -- we don't allow this any more. */
PRBool enableSSL2 = PR_FALSE;
@@ -418,8 +420,8 @@ getSSLVersionRange(char **min, char **max)
#if defined(NSS_TLS10)
return -1; /* not supported */
#else /* NSS_TLS11 or newer */
- *min = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.min));
- *max = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.max));
+ *min = slapi_getSSLVersion_str(slapdNSSVersions.min, NULL, 0);
+ *max = slapi_getSSLVersion_str(slapdNSSVersions.max, NULL, 0);
return 0;
#endif
}
@@ -854,34 +856,48 @@ warn_if_no_key_file(const char *dir, int no_log)
}
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
-typedef struct _nss_version_list {
- PRUint16 vnum;
- char* vname;
-} NSSVersion_list;
-NSSVersion_list _NSSVersion_list[] =
-{
- {SSL_LIBRARY_VERSION_2, "SSL2"},
- {SSL_LIBRARY_VERSION_3_0, "SSL3"},
- {SSL_LIBRARY_VERSION_TLS_1_0, "TLS1.0"},
- {SSL_LIBRARY_VERSION_TLS_1_1, "TLS1.1"},
-#if defined(NSS_TLS12)
- {SSL_LIBRARY_VERSION_TLS_1_2, "TLS1.2"},
-#endif
- {0, "unknown"}
-};
-
-static char *
-getNSSVersion_str(PRUint16 vnum)
+/*
+ * If non NULL buf and positive bufsize is given,
+ * the memory is used to store the version string.
+ * Otherwise, the memory for the string is allocated.
+ * The latter case, caller is responsible to free it.
+ */
+char *
+slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize)
{
- NSSVersion_list *nvlp = NULL;
- char *vstr = "none";
- if (vnum) {
- for (nvlp = _NSSVersion_list; nvlp && nvlp->vnum; nvlp++) {
- if (nvlp->vnum == vnum) {
- vstr = nvlp->vname;
- break;
+ char *vstr = buf;
+ if (vnum >= SSL_LIBRARY_VERSION_3_0) {
+ if (vnum == SSL_LIBRARY_VERSION_3_0) { /* SSL3 */
+ if (buf && bufsize) {
+ PR_snprintf(buf, bufsize, "SSL3");
+ } else {
+ vstr = slapi_ch_smprintf("SSL3");
+ }
+ } else { /* TLS v X.Y */
+ const char *TLSFMT = "TLS%d.%d";
+ int minor_offset = 0; /* e.g. 0x0401 -> TLS v 2.1, not 2.0 */
+
+ if ((vnum & SSL_LIBRARY_VERSION_3_0) == SSL_LIBRARY_VERSION_3_0) {
+ minor_offset = 1; /* e.g. 0x0301 -> TLS v 1.0, not 1.1 */
+ }
+ if (buf && bufsize) {
+ PR_snprintf(buf, bufsize, TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset);
+ } else {
+ vstr = slapi_ch_smprintf(TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset);
}
}
+ } else if (vnum == SSL_LIBRARY_VERSION_2) { /* SSL2 */
+ if (buf && bufsize) {
+ PR_snprintf(buf, bufsize, "SSL2");
+ } else {
+ vstr = slapi_ch_smprintf("SSL2");
+ }
+ } else {
+ if (buf && bufsize) {
+ PR_snprintf(buf, bufsize, "Unknown SSL version: 0x%x", vnum);
+ } else {
+ vstr = slapi_ch_smprintf("Unknown SSL version: 0x%x", vnum);
+ }
}
return vstr;
}
@@ -895,12 +911,16 @@ getNSSVersion_str(PRUint16 vnum)
static void
restrict_SSLVersionRange(void)
{
+ char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
+ (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
+ (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
if (slapdNSSVersions.min > slapdNSSVersions.max) {
slapd_SSL_warn("Invalid configured SSL range: min: %s, max: %s; "
"Resetting the max to the supported max SSL version: %s.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max),
- getNSSVersion_str(enabledNSSVersions.max));
+ mymin, mymax, emax);
slapdNSSVersions.max = enabledNSSVersions.max;
}
if (enableSSL3) {
@@ -911,17 +931,14 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but both nsSSL3 and nsTLS1 are on. "
"Respect the supported range.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
enableSSL3 = PR_FALSE;
}
if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but both nsSSL3 and nsTLS1 are on. "
"Resetting the max to the supported max SSL version: %s.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max),
- getNSSVersion_str(enabledNSSVersions.max));
+ mymin, mymax, emax);
slapdNSSVersions.max = enabledNSSVersions.max;
}
} else {
@@ -930,8 +947,7 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the supported range.",
- getNSSVersion_str(enabledNSSVersions.min),
- getNSSVersion_str(enabledNSSVersions.max));
+ emin, emax);
slapdNSSVersions.min = SSLVGreater(slapdNSSVersions.min, enabledNSSVersions.min);
enableSSL3 = PR_FALSE;
enableTLS1 = PR_TRUE;
@@ -939,19 +955,13 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the configured range.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
enableSSL3 = PR_FALSE;
enableTLS1 = PR_TRUE;
} else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
slapd_SSL_warn("Too low configured range: min: %s, max: %s; "
- "Resetting the range to: min: %s, max: %s.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max),
- getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0),
- getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0));
- slapdNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
- slapdNSSVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
+ "We strongly recommend to set sslVersionMax higher than %s.",
+ mymin, mymax, emax);
} else {
/*
* slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&
@@ -960,8 +970,7 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the configured range.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
enableTLS1 = PR_TRUE;
}
}
@@ -971,8 +980,7 @@ restrict_SSLVersionRange(void)
/* TLS1 is on, but TLS1 is not supported by NSS. */
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"Setting the version range based upon the supported range.",
- getNSSVersion_str(enabledNSSVersions.min),
- getNSSVersion_str(enabledNSSVersions.max));
+ emin, emax);
slapdNSSVersions.max = enabledNSSVersions.max;
slapdNSSVersions.min = enabledNSSVersions.min;
enableSSL3 = PR_TRUE;
@@ -983,8 +991,7 @@ restrict_SSLVersionRange(void)
slapdNSSVersions.min = SSLVGreater(SSL_LIBRARY_VERSION_TLS_1_1, enabledNSSVersions.min);
slapd_SSL_warn("Default SSL Version settings; "
"Configuring the version range as min: %s, max: %s; ",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
} else {
/*
* slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_1 &&
@@ -995,8 +1002,7 @@ restrict_SSLVersionRange(void)
} else {
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"Respect the configured range.",
- getNSSVersion_str(enabledNSSVersions.min),
- getNSSVersion_str(enabledNSSVersions.max));
+ emin, emax);
/* nsTLS1 is explicitly set to off. */
if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
enableTLS1 = PR_TRUE;
@@ -1040,13 +1046,15 @@ slapd_nss_init(int init_ssl, int config_available)
char *keydb_file_name = NULL;
char *secmoddb_file_name = NULL;
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
/* Get the range of the supported SSL version */
SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization",
"supported range by NSS: min: %s, max: %s\n",
- getNSSVersion_str(enabledNSSVersions.min),
- getNSSVersion_str(enabledNSSVersions.max));
+ emin, emax);
#endif
/* set in slapd_bootstrap_config,
@@ -1351,34 +1359,37 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
{
char *vp, *endp;
int vnum;
+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
if (NULL == rval) {
return 1;
}
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
if (!strncasecmp(val, SSLSTR, SSLLEN)) { /* ssl# */
vp = val + SSLLEN;
vnum = strtol(vp, &endp, 10);
if (2 == vnum) {
if (ismin) {
if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_2) {
- slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
- "\"%s\" is lower than the supported version; "
- "the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
- (*rval) = enabledNSSVersions.min;
+ slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
+ "\"%s\" is lower than the supported version; "
+ "the default value \"%s\" is used.",
+ val, emin);
+ (*rval) = enabledNSSVersions.min;
} else {
- (*rval) = SSL_LIBRARY_VERSION_2;
+ (*rval) = SSL_LIBRARY_VERSION_2;
}
} else {
if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_2) {
/* never happens */
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
- "\"%s\" is higher than the supported version; "
- "the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
- (*rval) = enabledNSSVersions.max;
+ "\"%s\" is higher than the supported version; "
+ "the default value \"%s\" is used.",
+ val, emax);
+ (*rval) = enabledNSSVersions.max;
} else {
- (*rval) = SSL_LIBRARY_VERSION_2;
+ (*rval) = SSL_LIBRARY_VERSION_2;
}
}
} else if (3 == vnum) {
@@ -1387,7 +1398,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
(*rval) = SSL_LIBRARY_VERSION_3_0;
@@ -1398,7 +1409,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
} else {
(*rval) = SSL_LIBRARY_VERSION_3_0;
@@ -1408,12 +1419,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
if (ismin) {
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is invalid; the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is invalid; the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
}
}
@@ -1427,7 +1438,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
@@ -1438,7 +1449,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
@@ -1450,7 +1461,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_1;
@@ -1461,7 +1472,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_1;
@@ -1474,7 +1485,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
@@ -1485,7 +1496,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
@@ -1497,13 +1508,13 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is out of the range of the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is out of the range of the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emax);
(*rval) = enabledNSSVersions.max;
}
}
@@ -1511,12 +1522,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
if (ismin) {
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is invalid; the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is invalid; the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emax);
(*rval) = enabledNSSVersions.max;
}
}
@@ -1549,6 +1560,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
PRUint16 NSSVersionMin = enabledNSSVersions.min;
PRUint16 NSSVersionMax = enabledNSSVersions.max;
+ char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
+ char newmax[VERSION_STR_LENGTH];
#endif
char cipher_string[1024];
int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
@@ -1909,12 +1922,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
}
slapi_ch_free_string( &val );
if (NSSVersionMin > NSSVersionMax) {
+ (void) slapi_getSSLVersion_str(NSSVersionMin, mymin, sizeof(mymin));
+ (void) slapi_getSSLVersion_str(NSSVersionMax, mymax, sizeof(mymax));
slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\".",
- getNSSVersion_str(NSSVersionMin),
- getNSSVersion_str(NSSVersionMax));
+ mymin, mymax);
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, newmax, sizeof(newmax));
slapd_SSL_warn("Reset the max \"%s\" to supported max \"%s\".",
- getNSSVersion_str(NSSVersionMax),
- getNSSVersion_str(enabledNSSVersions.max));
+ mymax, newmax);
NSSVersionMax = enabledNSSVersions.max;
}
#endif
@@ -1925,18 +1939,18 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
slapdNSSVersions.min = NSSVersionMin;
slapdNSSVersions.max = NSSVersionMax;
restrict_SSLVersionRange();
+ (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
+ (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
"Configured SSL version range: min: %s, max: %s\n",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);
if (sslStatus == SECSuccess) {
/* Set the restricted value to the cn=encryption entry */
} else {
slapd_SSL_error("SSL Initialization 2: "
"Failed to set SSL range: min: %s, max: %s\n",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
}
} else {
#endif
--
1.9.3