From c2bb6286434ea3bb87d454a8c9451dcc8f278297 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Thu, 13 Nov 2014 12:14:48 -0800 Subject: [PATCH 30/30] Ticket #47928 - Disable SSL v3, by default. Description: Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0. In dn: cn=encryption,cn=config, 0) Setting no SSL version attrs (using defaults); supported max is TLS1.2 ==> SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2 sslVersionMin: TLS1.0 sslVersionMax: TLS1.3 nsSSL3: off nsTLS1: on ==> SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 2) Setting new SSL version attrs; supported max is TLS1.2 sslVersionMin: TLS1.0 sslVersionMax: TLS1.3 ==> SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 3) Setting old/new SSL version attrs; conflict (new min is stricter); supported max is TLS1.2 nsSSL3: on sslVersionMin: TLS1.0 ==> SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to dis able nsSSL3 in cn=encryption,cn=config. SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1 are on. Respect the supported range. SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 4) Setting old/new SSL version attrs; conflict (old min is stricter); supported max is TLS1.2 nsSSL3: off sslVersionMin: SSL3 sslVersionMax: SSL3 ==> SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2. SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 5) Setting old/new SSL version attrs; no conflict; setting SSL3 nsSSL3: on nsTLS1: off sslVersionMin: SSL3 sslVersionMax: SSL3 ==> SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable nsSSL3 in cn=encryption,cn=config. SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly recommend to set sslVersionMin higher than TLS1.0. SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3 https://fedorahosted.org/389/ticket/47928 Reviewed by mreynolds@redhat.com (Thank you, Mark!!) (cherry picked from commit ad7885eae64a2085a89d516c1106b578142be502) (cherry picked from commit 3e7321ba1641234651fbf1e8fc01bf9fbecbc696) --- ldap/servers/slapd/fedse.c | 2 +- ldap/servers/slapd/ssl.c | 74 ++++++++++++++++++++++++++-------------------- 2 files changed, 43 insertions(+), 33 deletions(-) diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c index 87f45a1..d10fb3e 100644 --- a/ldap/servers/slapd/fedse.c +++ b/ldap/servers/slapd/fedse.c @@ -110,7 +110,7 @@ static const char *internal_entries[] = "cn:encryption\n" "nsSSLSessionTimeout:0\n" "nsSSLClientAuth:allowed\n" - "sslVersionMin:tls1.1\n", + "sslVersionMin:TLS1.0\n", "dn:cn=monitor\n" "objectclass:top\n" diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index 5d6919a..6b51e0c 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -87,13 +87,23 @@ /* TLS1.1 is defined in RFC4346. */ #define NSS_TLS11 1 #else -/* - * TLS1.0 is defined in RFC2246. - * Close to SSL 3.0. - */ #define NSS_TLS10 1 #endif +/****************************************************************************** + * Default SSL Version Rule + * Old SSL version attributes: + * nsSSL3: off -- nsSSL3 == SSL_LIBRARY_VERSION_3_0 + * nsTLS1: on -- nsTLS1 == SSL_LIBRARY_VERSION_TLS_1_0 and greater + * Note: TLS1.0 is defined in RFC2246, which is close to SSL 3.0. + * New SSL version attributes: + * sslVersionMin: TLS1.0 + * sslVersionMax: max ssl version supported by NSS + ******************************************************************************/ + +#define DEFVERSION "TLS1.0" +#define CURRENT_DEFAULT_SSL_VERSION SSL_LIBRARY_VERSION_TLS_1_0 + extern char* slapd_SSL3ciphers; extern symbol_t supported_ciphers[]; #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ @@ -253,12 +263,12 @@ static lookup_cipher _lookup_cipher[] = { PRBool enableSSL2 = PR_FALSE; /* * nsSSL3: on -- disable SSLv3 by default. - * Corresonding to SSL_LIBRARY_VERSION_3_0 and SSL_LIBRARY_VERSION_TLS_1_0 + * Corresonding to SSL_LIBRARY_VERSION_3_0 */ PRBool enableSSL3 = PR_FALSE; /* * nsTLS1: on -- enable TLS1 by default. - * Corresonding to SSL_LIBRARY_VERSION_TLS_1_1 and greater. + * Corresonding to SSL_LIBRARY_VERSION_TLS_1_0 and greater. */ PRBool enableTLS1 = PR_TRUE; @@ -927,14 +937,14 @@ restrict_SSLVersionRange(void) slapd_SSL_warn("Found unsecure configuration: nsSSL3: on; " "We strongly recommend to disable nsSSL3 in %s.", configDN); if (enableTLS1) { - if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) { + if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) { slapd_SSL_warn("Configured range: min: %s, max: %s; " "but both nsSSL3 and nsTLS1 are on. " "Respect the supported range.", mymin, mymax); enableSSL3 = PR_FALSE; } - if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) { + if (slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) { slapd_SSL_warn("Configured range: min: %s, max: %s; " "but both nsSSL3 and nsTLS1 are on. " "Resetting the max to the supported max SSL version: %s.", @@ -943,7 +953,7 @@ restrict_SSLVersionRange(void) } } else { /* nsTLS1 is explicitly set to off. */ - if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) { + if (enabledNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) { slapd_SSL_warn("Supported range: min: %s, max: %s; " "but nsSSL3 is on and nsTLS1 is off. " "Respect the supported range.", @@ -951,20 +961,20 @@ restrict_SSLVersionRange(void) slapdNSSVersions.min = SSLVGreater(slapdNSSVersions.min, enabledNSSVersions.min); enableSSL3 = PR_FALSE; enableTLS1 = PR_TRUE; - } else if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) { + } else if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) { slapd_SSL_warn("Configured range: min: %s, max: %s; " "but nsSSL3 is on and nsTLS1 is off. " "Respect the configured range.", mymin, mymax); enableSSL3 = PR_FALSE; enableTLS1 = PR_TRUE; - } else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) { + } else if (slapdNSSVersions.min < CURRENT_DEFAULT_SSL_VERSION) { slapd_SSL_warn("Too low configured range: min: %s, max: %s; " - "We strongly recommend to set sslVersionMax higher than %s.", - mymin, mymax, emax); + "We strongly recommend to set sslVersionMin higher than %s.", + mymin, mymax, DEFVERSION); } else { /* - * slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 && + * slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_0 && * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1 */ slapd_SSL_warn("Configured range: min: %s, max: %s; " @@ -976,7 +986,7 @@ restrict_SSLVersionRange(void) } } else { if (enableTLS1) { - if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) { + if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) { /* TLS1 is on, but TLS1 is not supported by NSS. */ slapd_SSL_warn("Supported range: min: %s, max: %s; " "Setting the version range based upon the supported range.", @@ -985,17 +995,17 @@ restrict_SSLVersionRange(void) slapdNSSVersions.min = enabledNSSVersions.min; enableSSL3 = PR_TRUE; enableTLS1 = PR_FALSE; - } else if ((slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) || - (slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_1)) { + } else if ((slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) || + (slapdNSSVersions.min < CURRENT_DEFAULT_SSL_VERSION)) { slapdNSSVersions.max = enabledNSSVersions.max; - slapdNSSVersions.min = SSLVGreater(SSL_LIBRARY_VERSION_TLS_1_1, enabledNSSVersions.min); - slapd_SSL_warn("Default SSL Version settings; " - "Configuring the version range as min: %s, max: %s; ", - mymin, mymax); + slapdNSSVersions.min = SSLVGreater(CURRENT_DEFAULT_SSL_VERSION, enabledNSSVersions.min); + slapd_SSL_warn("nsTLS1 is on, but the version range is lower than \"%s\"; " + "Configuring the version range as default min: %s, max: %s.", + DEFVERSION, DEFVERSION, emax); } else { /* - * slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_1 && - * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1 + * slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_0 && + * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_0 */ ; } @@ -1004,14 +1014,14 @@ restrict_SSLVersionRange(void) "Respect the configured range.", emin, emax); /* nsTLS1 is explicitly set to off. */ - if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) { + if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) { enableTLS1 = PR_TRUE; - } else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) { + } else if (slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) { enableSSL3 = PR_TRUE; } else { /* - * slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 && - * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1 + * slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_0 && + * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_0 */ enableSSL3 = PR_TRUE; enableTLS1 = PR_TRUE; @@ -1434,17 +1444,17 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) sscanf(vp, "%4f", &tlsv); if (tlsv < 1.1) { /* TLS1.0 */ if (ismin) { - if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) { + if (enabledNSSVersions.min > CURRENT_DEFAULT_SSL_VERSION) { slapd_SSL_warn("Security Initialization: The value of sslVersionMin " "\"%s\" is lower than the supported version; " "the default value \"%s\" is used.", val, emin); (*rval) = enabledNSSVersions.min; } else { - (*rval) = SSL_LIBRARY_VERSION_TLS_1_0; + (*rval) = CURRENT_DEFAULT_SSL_VERSION; } } else { - if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_0) { + if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) { /* never happens */ slapd_SSL_warn("Security Initialization: The value of sslVersionMax " "\"%s\" is higher than the supported version; " @@ -1452,7 +1462,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) val, emax); (*rval) = enabledNSSVersions.max; } else { - (*rval) = SSL_LIBRARY_VERSION_TLS_1_0; + (*rval) = CURRENT_DEFAULT_SSL_VERSION; } } } else if (tlsv < 1.2) { /* TLS1.1 */ @@ -1906,7 +1916,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) } else { enableTLS1 = slapi_entry_attr_get_bool( e, "nsTLS1" ); } - } else if (enabledNSSVersions.max > SSL_LIBRARY_VERSION_TLS_1_0) { + } else if (enabledNSSVersions.max >= CURRENT_DEFAULT_SSL_VERSION) { enableTLS1 = PR_TRUE; /* If available, enable TLS1 */ } slapi_ch_free_string( &val ); -- 1.9.3