Blame SOURCES/openldap-nss-protocol-version-new-api.patch

95f81a
Implement new API for setting TLS protocol version.
95f81a
95f81a
The code being deleted has been misplaced and it's effect has been
95f81a
mangled by a code later on. This patch puts the code at the correct
95f81a
place and introduces some more logging and error checking.
95f81a
95f81a
Author: Matus Honek <mhonek@redhat.com>
95f81a
RHBZ: #1249093
95f81a
95f81a
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
95f81a
--- a/libraries/libldap/tls_m.c
95f81a
+++ b/libraries/libldap/tls_m.c
95f81a
@@ -2019,16 +2019,6 @@ tlsm_deferred_init( void *arg )
95f81a
 			}
95f81a
 		}
95f81a
 
95f81a
-		/*
95f81a
-		 * Set the SSL version range.  MozNSS SSL versions are the same as openldap's:
95f81a
-		 *
95f81a
-		 * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
95f81a
-		 */
95f81a
-		SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
95f81a
-		range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
95f81a
-		variant = ssl_variant_stream;
95f81a
-		SSL_VersionRangeSetDefault(variant, &range);
95f81a
-
95f81a
 		NSS_SetDomesticPolicy();
95f81a
 
95f81a
 		PK11_SetPasswordFunc( tlsm_pin_prompt );
95f81a
@@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg )
95f81a
 		       0, 0, 0 );
95f81a
 		return -1;
95f81a
 	}
95f81a
+	if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) {
95f81a
+		SSLVersionRange supported_range, default_range, selected_range;
95f81a
+		if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) {
95f81a
+			Debug( LDAP_DEBUG_ANY,
95f81a
+			       "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n",
95f81a
+			       0, 0, 0 );
95f81a
+			return -1;
95f81a
+		} else {
95f81a
+			Debug( LDAP_DEBUG_ANY,
95f81a
+			       "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n",
95f81a
+			       supported_range.min, supported_range.max, 0);
95f81a
+		}
95f81a
+		if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) {
95f81a
+			Debug( LDAP_DEBUG_ANY,
95f81a
+			       "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n",
95f81a
+			       0, 0, 0 );
95f81a
+			return -1;
95f81a
+		} else {
95f81a
+			Debug( LDAP_DEBUG_ANY,
95f81a
+			       "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n",
95f81a
+			       default_range.min, default_range.max, 0);
95f81a
+		}
95f81a
+		selected_range.min = lt->lt_protocol_min;
95f81a
+		selected_range.max = supported_range.max;
95f81a
+		Debug( LDAP_DEBUG_ANY,
95f81a
+		       "TLS: info: TLS configured protocol minimal version is %#04x.\n",
95f81a
+		       selected_range.min, selected_range.max, 0);
95f81a
+		if ( (selected_range.min > supported_range.max) ||
95f81a
+		     (selected_range.max < supported_range.min) ) {
95f81a
+			Debug( LDAP_DEBUG_ANY,
95f81a
+			       "TLS: error: selected protocol version range out of NSS-supported version range.\n",
95f81a
+			       0, 0, 0);
95f81a
+			return -1;
95f81a
+		} else {
95f81a
+			if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) {
95f81a
+				Debug( LDAP_DEBUG_ANY,
95f81a
+				       "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n",
95f81a
+				       0, 0, 0);
95f81a
+				return -1;
95f81a
+			}
95f81a
+			if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) {
95f81a
+				Debug( LDAP_DEBUG_ANY,
95f81a
+				       "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n",
95f81a
+				       0, 0, 0);
95f81a
+				return -1;
95f81a
+			} else {
95f81a
+				Debug( LDAP_DEBUG_ANY,
95f81a
+				       "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n",
95f81a
+				       selected_range.min, selected_range.max, 0);
95f81a
+			}
95f81a
+		}
95f81a
+	}
95f81a
 
95f81a
 	if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) {
95f81a
  		Debug( LDAP_DEBUG_ANY,