Setting olcTLSProtocolMin does not change supported protocols
Resolves: #1375432
This commit is contained in:
parent
17f248ddeb
commit
9e30b985ea
88
openldap-nss-protocol-version-new-api.patch
Normal file
88
openldap-nss-protocol-version-new-api.patch
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
Implement new API for setting TLS protocol version.
|
||||||
|
|
||||||
|
The code being deleted has been misplaced and it's effect has been
|
||||||
|
mangled by a code later on. This patch puts the code at the correct
|
||||||
|
place and introduces some more logging and error checking.
|
||||||
|
|
||||||
|
Author: Matus Honek <mhonek@redhat.com>
|
||||||
|
RHBZ: #1375432
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||||
|
--- a/libraries/libldap/tls_m.c
|
||||||
|
+++ b/libraries/libldap/tls_m.c
|
||||||
|
@@ -2019,16 +2019,6 @@ tlsm_deferred_init( void *arg )
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- /*
|
||||||
|
- * Set the SSL version range. MozNSS SSL versions are the same as openldap's:
|
||||||
|
- *
|
||||||
|
- * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
|
||||||
|
- */
|
||||||
|
- SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
|
||||||
|
- range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
|
||||||
|
- variant = ssl_variant_stream;
|
||||||
|
- SSL_VersionRangeSetDefault(variant, &range);
|
||||||
|
-
|
||||||
|
NSS_SetDomesticPolicy();
|
||||||
|
|
||||||
|
PK11_SetPasswordFunc( tlsm_pin_prompt );
|
||||||
|
@@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg )
|
||||||
|
0, 0, 0 );
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+ if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) {
|
||||||
|
+ SSLVersionRange supported_range, default_range, selected_range;
|
||||||
|
+ if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n",
|
||||||
|
+ 0, 0, 0 );
|
||||||
|
+ return -1;
|
||||||
|
+ } else {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n",
|
||||||
|
+ supported_range.min, supported_range.max, 0);
|
||||||
|
+ }
|
||||||
|
+ if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n",
|
||||||
|
+ 0, 0, 0 );
|
||||||
|
+ return -1;
|
||||||
|
+ } else {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n",
|
||||||
|
+ default_range.min, default_range.max, 0);
|
||||||
|
+ }
|
||||||
|
+ selected_range.min = lt->lt_protocol_min;
|
||||||
|
+ selected_range.max = supported_range.max;
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: info: TLS configured protocol minimal version is %#04x.\n",
|
||||||
|
+ selected_range.min, selected_range.max, 0);
|
||||||
|
+ if ( (selected_range.min > supported_range.max) ||
|
||||||
|
+ (selected_range.max < supported_range.min) ) {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: error: selected protocol version range out of NSS-supported version range.\n",
|
||||||
|
+ 0, 0, 0);
|
||||||
|
+ return -1;
|
||||||
|
+ } else {
|
||||||
|
+ if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n",
|
||||||
|
+ 0, 0, 0);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n",
|
||||||
|
+ 0, 0, 0);
|
||||||
|
+ return -1;
|
||||||
|
+ } else {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n",
|
||||||
|
+ selected_range.min, selected_range.max, 0);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) {
|
||||||
|
Debug( LDAP_DEBUG_ANY,
|
@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
Name: openldap
|
Name: openldap
|
||||||
Version: 2.4.44
|
Version: 2.4.44
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: LDAP support libraries
|
Summary: LDAP support libraries
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
License: OpenLDAP
|
License: OpenLDAP
|
||||||
@ -541,6 +541,10 @@ exit 0
|
|||||||
%{_mandir}/man3/*
|
%{_mandir}/man3/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 20 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-3
|
||||||
|
- fix: Setting olcTLSProtocolMin does not change supported protocols (#1375432)
|
||||||
|
- fix: slapd should start after network-online.service (#1336487)
|
||||||
|
|
||||||
* Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.44-2
|
* Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.44-2
|
||||||
- Perl 5.24 rebuild
|
- Perl 5.24 rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user