From 413ac674d497a981b30bdc81b47ea2bb3e14ad57 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Thu, 11 Jun 2015 22:25:14 -0700 Subject: [PATCH] Ticket #48194 - nsSSL3Ciphers preference not enforced server side Description: The fix for ticket 47838 accidentally changed the timing of setting default cipher preferences and creating a sslSocket which broke setting the default preferences to each sslSocket. https://fedorahosted.org/389/ticket/48194 Reviewed by rmeggins@redhat.com (Thank you, Rich!!) (cherry picked from commit 53c9c4e84e3bcbc40de87b1e7cf7634d14599e1c) (cherry picked from commit 99109e38ca671951c50724018fce71e2e362f0ff) --- ldap/servers/slapd/ssl.c | 97 +++++++++++++++++++++++++----------------------- 1 file changed, 50 insertions(+), 47 deletions(-) diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index 6b51e0c..36a4788 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -1342,9 +1342,6 @@ slapd_ssl_init() freeConfigEntry( &entry ); } - /* ugaston- Cipher preferences must be set before any sslSocket is created - * for such sockets to take preferences into account. - */ freeConfigEntry( &entry ); /* Introduce a way of knowing whether slapd_ssl_init has @@ -1590,6 +1587,45 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) errorbuf[0] = '\0'; + /* + * Cipher preferences must be set before any sslSocket is created + * for such sockets to take preferences into account. + */ + getConfigEntry(configDN, &e); + if (e == NULL) { + slapd_SSL_warn("Security Initialization: Failed get config entry %s", configDN); + return 1; + } + val = slapi_entry_attr_get_charptr(e, "allowWeakCipher"); + if (val) { + if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || + !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) { + allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER; + } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") || + !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) { + allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER; + } else { + slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.", + "Ignoring it and set it to default.", val, configDN); + } + } + slapi_ch_free((void **) &val); + + /* Set SSL cipher preferences */ + *cipher_string = 0; + if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank")) + PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string)); + slapi_ch_free((void **) &ciphers); + + if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) { + errorCode = PR_GetError(); + slapd_SSL_warn("Security Initialization: Failed to set SSL cipher " + "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", + val, errorCode, slapd_pr_strerror(errorCode)); + slapi_ch_free((void **) &val); + } + freeConfigEntry(&e); + /* Import pr fd into SSL */ pr_sock = SSL_ImportFD( NULL, sock ); if( pr_sock == (PRFileDesc *)NULL ) { @@ -1632,8 +1668,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) slapd_pk11_setSlotPWValues(slot, 0, 0); } - - /* * Now, get the complete list of cipher families. Each family * has a token name and personality name which we'll use to find @@ -1816,9 +1850,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) "out of disk space! Make more room in /tmp " "and try again. (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", errorCode, slapd_pr_strerror(errorCode)); - } - else { - slapd_SSL_error("Config of server nonce cache failed (error %d - %s)", + } else { + slapd_SSL_error("Config of server nonce cache failed (error %d - %s)", errorCode, slapd_pr_strerror(errorCode)); } return rv; @@ -1985,36 +2018,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ } #endif - val = slapi_entry_attr_get_charptr(e, "allowWeakCipher"); - if (val) { - if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || - !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) { - allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER; - } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") || - !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) { - allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER; - } else { - slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.", - "Ignoring it and set it to default.", val, configDN); - } - } - slapi_ch_free((void **) &val); - - /* Set SSL cipher preferences */ - *cipher_string = 0; - if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank")) - PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string)); - slapi_ch_free((void **) &ciphers); - - if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) { - errorCode = PR_GetError(); - slapd_SSL_warn("Security Initialization: Failed to set SSL cipher " - "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - val, errorCode, slapd_pr_strerror(errorCode)); - rv = 3; - slapi_ch_free((void **) &val); - } - freeConfigEntry( &e ); if(( slapd_SSLclientAuth = config_get_SSLclientAuth()) != SLAPD_SSLCLIENTAUTH_OFF ) { @@ -2059,17 +2062,17 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) /* richm 20020227 To do LDAP client SSL init, we need to do - static void - ldapssl_basic_init( void ) - { - PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); + static void + ldapssl_basic_init( void ) + { + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); - PR_SetConcurrency( 4 ); - } + PR_SetConcurrency( 4 ); + } NSS_Init(certdbpath); SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE); - SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE); - s = NSS_SetDomesticPolicy(); + SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE); + s = NSS_SetDomesticPolicy(); We already do pr_init, we don't need pr_setconcurrency, we already do nss_init and the rest */ @@ -2095,7 +2098,7 @@ slapd_SSL_client_auth (LDAP* ld) char **family; char *personality = NULL; char *activation = NULL; - char *cipher = NULL; + char *cipher = NULL; for (family = family_list; *family; family++) { getConfigEntry( *family, &entry ); -- 1.9.3