enhancement: support TLSv1 and later (#1160466)

2014-11-14 09:46:06 +01:00 · 2014-11-14 09:46:06 +01:00 · 4b2abac9db
commit 4b2abac9db
parent 90f2044e56
2 changed files with 61 additions and 1 deletions
--- a/openldap-support-tlsv1-and-later.patch
+++ b/openldap-support-tlsv1-and-later.patch
@ -0,0 +1,54 @@
+Support TLSv1 and later.
+
+Author: Mark Reynolds <mreynolds@redhat.com>
+Backported-by: Jan Synacek <jsynacek@redhat.com>
+Upstream ITS: #7979
+Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
+
+--- openldap-2.4.40/libraries/libldap/tls_m.c	2014-11-14 09:02:39.489493061 +0100
+++ openldap-2.4.40/libraries/libldap/tls_m.c	2014-11-14 09:23:07.239463097 +0100
+@@ -790,7 +790,7 @@ tlsm_bad_cert_handler(void *arg, PRFileD
+ 	case SSL_ERROR_BAD_CERT_DOMAIN:
+ 		break;
+ 	default:
+-		success = SECFailure;
+ 		success = SECFailure;
+ 		break;
+ 	}
+ 
+@@ -1729,6 +1729,8 @@ tlsm_deferred_init( void *arg )
+ 	NSSInitContext *initctx = NULL;
+ 	PK11SlotInfo *certdb_slot = NULL;
+ #endif
+	SSLVersionRange range;
+	SSLProtocolVariant variant;
+ 	SECStatus rc;
+ 	int done = 0;
+ 
+@@ -1911,6 +1913,16 @@ tlsm_deferred_init( void *arg )
+ 			}
+ 		}
+ 
+		/*
+		 * Set the SSL version range.  MozNSS SSL versions are the same as openldap's:
+		 *
+		 * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
+		 */
+		SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
+		range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
+		variant = ssl_variant_stream;
+		SSL_VersionRangeSetDefault(variant, &range);
+
+ 		NSS_SetDomesticPolicy();
+ 
+ 		PK11_SetPasswordFunc( tlsm_pin_prompt );
+--- openldap-2.4.40/include/ldap.h	2014-09-19 03:48:49.000000000 +0200
+++ openldap-2.4.40/include/ldap.h	2014-11-14 09:25:54.560801030 +0100
+@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0		((3 << 8) + 1)
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1		((3 << 8) + 2)
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2		((3 << 8) + 3)
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3		((3 << 8) + 4)
+ 
+ /* OpenLDAP SASL options */
+ #define LDAP_OPT_X_SASL_MECH			0x6100
--- a/openldap.spec
+++ b/openldap.spec
@ -5,7 +5,7 @@

 Name: openldap
 Version: 2.4.40
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@ -46,6 +46,8 @@ Patch16: openldap-nss-pk11-freeslot.patch
 Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
 # ldapi sasl fix pending upstream inclusion
 Patch20: openldap-ldapi-sasl.patch
+# TLSv1 support, already included upstream
+Patch21: openldap-support-tlsv1-and-later.patch

 # Fedora specific patches
 Patch100: openldap-autoconf-pkgconfig-nss.patch
@ -161,6 +163,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch16 -p1
 %patch19 -p1
 %patch20 -p1
+%patch21 -p1

 %patch102 -p1

@ -573,6 +576,9 @@ exit 0
 %{_mandir}/man3/*

 %changelog
+* Fri Nov 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-2
+- enhancement: support TLSv1 and later (#1160466)
+
 * Mon Oct  6 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-1
 - new upstream release (#1147877)