From dd2dc9218ec91589f03c89f4f38fe2927bf5e3ab Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Wed, 10 Sep 2014 18:56:43 -0700 Subject: [PATCH 6/7] Ticket #47895 - If no effective ciphers are available, disable security setting. Description: If nsslapd-security is "on" and nsSSL3Ciphers is given AND none of the ciphers are available or some syntax error is detected, the server sets nsslapd-security "off" and starts up. https://fedorahosted.org/389/ticket/47895 Reviewed by nkinder@redhat.com (Thank you, Nathan!!) (cherry picked from commit 0f1a203a0fe85f3cf0440006685f63409502f093) (cherry picked from commit cad5b96507caf9e08a12285c52d0353f8e6dcc3b) --- ldap/servers/slapd/main.c | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c index d577514..6bad2a0 100644 --- a/ldap/servers/slapd/main.c +++ b/ldap/servers/slapd/main.c @@ -3077,6 +3077,24 @@ slapd_debug_level_usage( void ) } #endif /* LDAP_DEBUG */ +static int +force_to_disable_security(const char *what, int *init_ssl, daemon_ports_t *ports_info) +{ + char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE]; + errorbuf[0] = '\0'; + + LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: %s Initialization Failed. Disabling %s.\n", what, what); + ports_info->s_socket = SLAPD_INVALID_SOCKET; + ports_info->s_port = 0; + *init_ssl = 0; + if (config_set_security(CONFIG_SECURITY_ATTRIBUTE, "off", errorbuf, 1)) { + LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: Failed to disable %s: \"%s\".\n", + CONFIG_SECURITY_ATTRIBUTE, errorbuf[0]?errorbuf:"no error message"); + return 1; + } + return 0; +} + /* This function does all NSS and SSL related initialization required during startup. We use this function rather @@ -3113,20 +3131,20 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt, * modules can assume NSS is available */ if ( slapd_nss_init((slapd_exemode == SLAPD_EXEMODE_SLAPD), - (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) { - LDAPDebug(LDAP_DEBUG_ANY, - "ERROR: NSS Initialization Failed.\n", 0, 0, 0); - return 1; + (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) { + if (force_to_disable_security("NSS", &init_ssl, ports_info)) { + return 1; + } } if (slapd_exemode == SLAPD_EXEMODE_SLAPD) { client_auth_init(); } - if ( init_ssl && ( 0 != slapd_ssl_init())) { - LDAPDebug(LDAP_DEBUG_ANY, - "ERROR: SSL Initialization Failed.\n", 0, 0, 0 ); - return 1; + if (init_ssl && slapd_ssl_init()) { + if (force_to_disable_security("SSL", &init_ssl, ports_info)) { + return 1; + } } if ((slapd_exemode == SLAPD_EXEMODE_SLAPD) || @@ -3134,10 +3152,10 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt, if ( init_ssl ) { PRFileDesc **sock; for (sock = ports_info->s_socket; sock && *sock; sock++) { - if ( 0 != slapd_ssl_init2(sock, 0) ) { - LDAPDebug(LDAP_DEBUG_ANY, - "ERROR: SSL Initialization phase 2 Failed.\n", 0, 0, 0 ); - return 1; + if ( slapd_ssl_init2(sock, 0) ) { + if (force_to_disable_security("SSL2", &init_ssl, ports_info)) { + return 1; + } } } } -- 1.9.3