openldap/openldap-nss-protocol-version-new-api.patch

72 lines
2.9 KiB
Diff
Raw Normal View History

Implement new API for setting TLS protocol version.
The code being deleted has been misplaced and it's effect has been
mangled by a code later on. This patch puts the code at the correct
place and introduces some more logging and error checking.
Author: Matus Honek <mhonek@redhat.com>
RHBZ: #1375432
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg )
0, 0, 0 );
return -1;
}
+ if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) {
+ SSLVersionRange supported_range, default_range, selected_range;
+ if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n",
+ 0, 0, 0 );
+ return -1;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n",
+ supported_range.min, supported_range.max, 0);
+ }
+ if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n",
+ 0, 0, 0 );
+ return -1;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n",
+ default_range.min, default_range.max, 0);
+ }
+ selected_range.min = lt->lt_protocol_min;
+ selected_range.max = default_range.max;
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: TLS configured protocol minimal version is %#04x, the maximal version (the NSS default) is %#04x.\n",
+ selected_range.min, selected_range.max, 0);
+ if ( (selected_range.min > supported_range.max) ||
+ (selected_range.max < supported_range.min) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: selected protocol version range out of NSS-supported version range.\n",
+ 0, 0, 0);
+ return -1;
+ } else {
+ if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n",
+ 0, 0, 0);
+ return -1;
+ }
+ if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n",
+ 0, 0, 0);
+ return -1;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n",
+ selected_range.min, selected_range.max, 0);
+ }
+ }
+ }
if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) {
Debug( LDAP_DEBUG_ANY,