From 0e32f3731887dbdf9c594a94fee693826f1a96de Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Tue, 23 Sep 2014 14:38:00 -0700 Subject: [PATCH 10/14] Ticket #47908 - 389-ds 1.3.3.0 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server Description: In the given cipher list: nsSSL3Ciphers: +rsa_fips_3des_sha,+rsa_fips_des_sha,+rsa_3des_sha, +rsa_rc4_128_md5,+rsa_des_sha,+rsa_rc2_40_md5,+rsa_rc4_40_md5, +fortezza there were 2 issues. 1) An old cipher suite name rsa_des_sha was not correctly mapped to the name supported by NSS (TLS_RSA_WITH_DES_CBC_SHA) in the mapping table. And the unsupported cipher name was not gracefully skipped but returned an error. This patch fixes the mapped name and the behaviour so that it skips the unknown/unsupported cipher. 2) A cipher "fortezza" is deprecated. It's now skipped with the proper warning message. Reviewed by rmeggins@redhat.com (Thank you, Rich!!) https://fedorahosted.org/389/ticket/47908 (cherry picked from commit 83a6ceb556e769f0d0a201f4a3d783ae3915c6bc) (cherry picked from commit 4e347407887589635fe077fb6174d20d3d34c7c8) --- ldap/servers/slapd/ssl.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index 03b5904..4e38308 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -172,7 +172,7 @@ static lookup_cipher _lookup_cipher[] = { {"tls_rsa_3des_sha", "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}, {"rsa_fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"}, {"fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"}, - {"rsa_des_sha", "SSL_RSA_WITH_DES_CBC_SHA"}, + {"rsa_des_sha", "TLS_RSA_WITH_DES_CBC_SHA"}, {"rsa_fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, {"fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, /* ditto */ {"rsa_rc4_40_md5", "TLS_RSA_EXPORT_WITH_RC4_40_MD5"}, @@ -455,7 +455,7 @@ _conf_setciphers(char *ciphers, int flags) char *raw = ciphers; char **suplist = NULL; char **unsuplist = NULL; - int lookup; + PRBool enabledOne = PR_FALSE; /* #47838: harden the list of ciphers available by default */ /* Default is to activate all of them ==> none of them*/ @@ -474,6 +474,7 @@ _conf_setciphers(char *ciphers, int flags) * from the console */ _conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags), &suplist, NULL); + enabledOne = PR_TRUE; } else { /* If "+all" is not in nsSSL3Ciphers value, disable all first, * then enable specified ciphers. */ @@ -499,7 +500,7 @@ _conf_setciphers(char *ciphers, int flags) if (strcasecmp(ciphers, "all")) { /* if not all */ PRBool enabled = active ? PR_TRUE : PR_FALSE; - lookup = 1; + int lookup = 1; for (x = 0; _conf_ciphers[x].name; x++) { if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) { if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) { @@ -558,6 +559,9 @@ _conf_setciphers(char *ciphers, int flags) enabled = cipher_check_fips(x, NULL, &unsuplist); } } + if (enabled) { + enabledOne = PR_TRUE; /* At least one active cipher is set. */ + } SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled); break; } @@ -566,15 +570,14 @@ _conf_setciphers(char *ciphers, int flags) } } } - if(!_conf_ciphers[x].name) { - PR_snprintf(err, sizeof(err), "unknown cipher %s", ciphers); - slapi_ch_free((void **)&suplist); /* strings inside are static */ - slapi_ch_free((void **)&unsuplist); /* strings inside are static */ - return slapi_ch_strdup(err); + if (!lookup && !_conf_ciphers[x].name) { /* If lookup, it's already reported. */ + slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d. Ignoring %s", + ciphers, NSS_VMAJOR, NSS_VMINOR, ciphers); } } - if(t) + if(t) { ciphers = t; + } } if (unsuplist && *unsuplist) { char *strsup = charray2str(suplist, ","); @@ -592,6 +595,10 @@ _conf_setciphers(char *ciphers, int flags) slapi_ch_free((void **)&suplist); /* strings inside are static */ slapi_ch_free((void **)&unsuplist); /* strings inside are static */ + if (!enabledOne) { + char *nocipher = PR_smprintf("No active cipher suite is available."); + return nocipher; + } _conf_dumpciphers(); return NULL; -- 1.9.3