parent
671ba8f100
commit
a33df4e168
@ -1,49 +0,0 @@
|
|||||||
Use pkg-config for Mozilla NSS library detection
|
|
||||||
|
|
||||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
configure.in | 22 +++++-----------------
|
|
||||||
1 file changed, 5 insertions(+), 17 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/configure.in b/configure.in
|
|
||||||
index ecffe30..2a9cfb4 100644
|
|
||||||
--- a/configure.in
|
|
||||||
+++ b/configure.in
|
|
||||||
@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
-dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3
|
|
||||||
-dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs
|
|
||||||
-dnl are not in the default system location
|
|
||||||
if test $ol_link_tls = no ; then
|
|
||||||
if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then
|
|
||||||
- have_moznss=no
|
|
||||||
- AC_CHECK_HEADERS([nssutil.h])
|
|
||||||
- if test "$ac_cv_header_nssutil_h" = yes ; then
|
|
||||||
- AC_CHECK_LIB([nss3], [NSS_Initialize],
|
|
||||||
- [ have_moznss=yes ], [ have_moznss=no ])
|
|
||||||
- fi
|
|
||||||
+ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no])
|
|
||||||
|
|
||||||
- if test "$have_moznss" = yes ; then
|
|
||||||
+ if test $have_moznss = yes ; then
|
|
||||||
ol_with_tls=moznss
|
|
||||||
ol_link_tls=yes
|
|
||||||
- AC_DEFINE(HAVE_MOZNSS, 1,
|
|
||||||
- [define if you have MozNSS])
|
|
||||||
- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
|
|
||||||
- else
|
|
||||||
- if test $ol_with_tls = moznss ; then
|
|
||||||
- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)])
|
|
||||||
- fi
|
|
||||||
+ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS])
|
|
||||||
+ TLS_LIBS="$MOZNSS_LIBS"
|
|
||||||
+ CFLAGS="$CFLAGS $MOZNSS_CFLAGS"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
--
|
|
||||||
1.7.11.7
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
Upstream ITS: #7568
|
|
||||||
|
|
||||||
From 6be982c000133ccf9da949d39eed23a93bc7bfc5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jan Synacek <jsynacek@redhat.com>
|
|
||||||
Date: Tue, 9 Apr 2013 12:41:38 +0200
|
|
||||||
Subject: [PATCH 1/2] Fix typos in ldap.conf.5
|
|
||||||
|
|
||||||
---
|
|
||||||
doc/man/man5/ldap.conf.5 | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
|
|
||||||
index cfde143..8f7fecd 100644
|
|
||||||
--- a/doc/man/man5/ldap.conf.5
|
|
||||||
+++ b/doc/man/man5/ldap.conf.5
|
|
||||||
@@ -297,7 +297,7 @@ Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG)
|
|
||||||
should be used. The default is off.
|
|
||||||
.TP
|
|
||||||
.B GSSAPI_ALLOW_REMOTE_PRINCIPAL <on/true/yes/off/false/no>
|
|
||||||
-Specifies if GSSAPI based authentification should try to form the
|
|
||||||
+Specifies if GSSAPI based authentication should try to form the
|
|
||||||
target principal name out of the ldapServiceName or dnsHostName
|
|
||||||
attribute of the targets RootDSE entry. The default is off.
|
|
||||||
.SH TLS OPTIONS
|
|
||||||
@@ -354,7 +354,7 @@ it is of critical importance that the key file is protected carefully.
|
|
||||||
When using Mozilla NSS, TLS_KEY specifies the name of a file that contains
|
|
||||||
the password for the key for the certificate specified with TLS_CERT. The
|
|
||||||
modutil command can be used to turn off password protection for the cert/key
|
|
||||||
-database. For example, if TLS_CACERTDIR specifes /home/scarter/.moznss as
|
|
||||||
+database. For example, if TLS_CACERTDIR specifies /home/scarter/.moznss as
|
|
||||||
the location of the cert/key database, use modutil to change the password
|
|
||||||
to the empty string:
|
|
||||||
.nf
|
|
||||||
--
|
|
||||||
1.8.1.4
|
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
Upstream ITS: #7568
|
|
||||||
|
|
||||||
From 05c726c62785b2c307f9c5343a253d43ec7322c6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jan Synacek <jsynacek@redhat.com>
|
|
||||||
Date: Tue, 9 Apr 2013 12:42:31 +0200
|
|
||||||
Subject: [PATCH 2/2] Add -Q to slaptest's help
|
|
||||||
|
|
||||||
---
|
|
||||||
servers/slapd/slapcommon.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
|
|
||||||
index 714e2bc..153310f 100644
|
|
||||||
--- a/servers/slapd/slapcommon.c
|
|
||||||
+++ b/servers/slapd/slapcommon.c
|
|
||||||
@@ -92,7 +92,7 @@ usage( int tool, const char *progname )
|
|
||||||
break;
|
|
||||||
|
|
||||||
case SLAPTEST:
|
|
||||||
- options = " [-n databasenumber] [-u]\n";
|
|
||||||
+ options = " [-n databasenumber] [-u] [-Q]\n";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case SLAPSCHEMA:
|
|
||||||
--
|
|
||||||
1.8.1.4
|
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
From 4313b91b0bc2fe6585656cd69a03f9755b5af3c4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jan Synacek <jsynacek@redhat.com>
|
|
||||||
Date: Wed, 29 May 2013 10:21:40 +0200
|
|
||||||
Subject: [PATCH] Fix loglevel2bvarray
|
|
||||||
|
|
||||||
---
|
|
||||||
servers/slapd/bconfig.c | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
|
|
||||||
index 4e1f1b5..def6daf 100644
|
|
||||||
--- a/servers/slapd/bconfig.c
|
|
||||||
+++ b/servers/slapd/bconfig.c
|
|
||||||
@@ -3622,6 +3622,10 @@ loglevel2bvarray( int l, BerVarray *bva )
|
|
||||||
loglevel_init();
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if ( l == 0 ) {
|
|
||||||
+ return value_add_one( bva, ber_bvstr( "0" ) );
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return mask_to_verbs( loglevel_ops, l, bva );
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
1.8.1.4
|
|
||||||
|
|
@ -1,47 +0,0 @@
|
|||||||
Accept nss certificate name in the form of tokenname:certnickname
|
|
||||||
|
|
||||||
Author: Rich Megginson <rmeggins@redhat.com>
|
|
||||||
Upstream ITS: #7360
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
index 5022efb..7377bb1 100644
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -2102,6 +2102,22 @@ tlsm_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* returns true if the given string looks like
|
|
||||||
+ "tokenname" ":" "certnickname"
|
|
||||||
+ This is true if there is a ':' colon character
|
|
||||||
+ in the string and the colon is not the first
|
|
||||||
+ or the last character in the string
|
|
||||||
+*/
|
|
||||||
+static int
|
|
||||||
+tlsm_is_tokenname_certnick( const char *certfile )
|
|
||||||
+{
|
|
||||||
+ if ( certfile ) {
|
|
||||||
+ const char *ptr = PL_strchr( certfile, ':' );
|
|
||||||
+ return ptr && (ptr != certfile) && (*(ptr+1));
|
|
||||||
+ }
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int
|
|
||||||
tlsm_deferred_ctx_init( void *arg )
|
|
||||||
{
|
|
||||||
@@ -2268,7 +2284,10 @@ tlsm_deferred_ctx_init( void *arg )
|
|
||||||
} else {
|
|
||||||
char *tmp_certname;
|
|
||||||
|
|
||||||
- if (ctx->tc_certdb_slot) {
|
|
||||||
+ if (tlsm_is_tokenname_certnick(lt->lt_certfile)) {
|
|
||||||
+ /* assume already in form tokenname:certnickname */
|
|
||||||
+ tmp_certname = PL_strdup(lt->lt_certfile);
|
|
||||||
+ } else if (ctx->tc_certdb_slot) {
|
|
||||||
tmp_certname = PR_smprintf(TLSM_CERTDB_DESC_FMT ":%s", ctx->tc_unique, lt->lt_certfile);
|
|
||||||
} else {
|
|
||||||
tmp_certname = PR_smprintf("%s", lt->lt_certfile);
|
|
||||||
--
|
|
||||||
1.7.11.4
|
|
||||||
|
|
@ -1,86 +0,0 @@
|
|||||||
MozNSS: load certificates from certdb, fallback to PEM
|
|
||||||
|
|
||||||
If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
|
|
||||||
certificate database, the backend assumed that the certificate is always
|
|
||||||
located in the certificate database. This assumption might be wrong.
|
|
||||||
|
|
||||||
This patch makes the library to try to load the certificate from NSS
|
|
||||||
database and fallback to PEM file if unsuccessfull.
|
|
||||||
|
|
||||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
|
||||||
Upstream ITS: #7389
|
|
||||||
Resolves: #857455
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
index 6847bea..8339391 100644
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx )
|
|
||||||
/* prefer unlocked key, then key from opened certdb, then any other */
|
|
||||||
if ( unlocked_key )
|
|
||||||
ctx->tc_private_key = unlocked_key;
|
|
||||||
- else if ( ctx->tc_certdb_slot )
|
|
||||||
+ else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem )
|
|
||||||
ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg );
|
|
||||||
else
|
|
||||||
ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg );
|
|
||||||
@@ -1909,8 +1909,6 @@ tlsm_deferred_init( void *arg )
|
|
||||||
}
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- ctx->tc_using_pem = PR_TRUE;
|
|
||||||
}
|
|
||||||
|
|
||||||
NSS_SetDomesticPolicy();
|
|
||||||
@@ -2363,15 +2361,9 @@ tlsm_deferred_ctx_init( void *arg )
|
|
||||||
|
|
||||||
/* set up our cert and key, if any */
|
|
||||||
if ( lt->lt_certfile ) {
|
|
||||||
- /* if using the PEM module, load the PEM file specified by lt_certfile */
|
|
||||||
- /* otherwise, assume this is the name of a cert already in the db */
|
|
||||||
- if ( ctx->tc_using_pem ) {
|
|
||||||
- /* this sets ctx->tc_certificate to the correct value */
|
|
||||||
- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE );
|
|
||||||
- if ( rc ) {
|
|
||||||
- return rc;
|
|
||||||
- }
|
|
||||||
- } else {
|
|
||||||
+
|
|
||||||
+ /* first search in certdb (lt_certfile is nickname) */
|
|
||||||
+ if ( ctx->tc_certdb ) {
|
|
||||||
char *tmp_certname;
|
|
||||||
|
|
||||||
if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) {
|
|
||||||
@@ -2391,8 +2383,31 @@ tlsm_deferred_ctx_init( void *arg )
|
|
||||||
Debug( LDAP_DEBUG_ANY,
|
|
||||||
"TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
|
|
||||||
lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* fallback to PEM module (lt_certfile is filename) */
|
|
||||||
+ if ( !ctx->tc_certificate ) {
|
|
||||||
+ if ( !pem_module && tlsm_init_pem_module() ) {
|
|
||||||
+ int pem_errcode = PORT_GetError();
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n",
|
|
||||||
+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* this sets ctx->tc_certificate to the correct value */
|
|
||||||
+ if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) {
|
|
||||||
+ ctx->tc_using_pem = PR_TRUE;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ( ctx->tc_certificate ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile,
|
|
||||||
+ ctx->tc_using_pem ? "PEM file" : "moznss database", 0);
|
|
||||||
+ } else {
|
|
||||||
+ return -1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -1,95 +0,0 @@
|
|||||||
Update MozNSS cipher attributes definitions
|
|
||||||
|
|
||||||
Author: Matus Honek <mhonek@redhat.com>
|
|
||||||
PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -210,27 +210,44 @@ typedef struct {
|
|
||||||
int num; /* The cipher id */
|
|
||||||
int attr; /* cipher attributes: algorithms, etc */
|
|
||||||
int version; /* protocol version valid for this cipher */
|
|
||||||
- int bits; /* bits of strength */
|
|
||||||
- int alg_bits; /* bits of the algorithm */
|
|
||||||
int strength; /* LOW, MEDIUM, HIGH */
|
|
||||||
int enabled; /* Enabled by default? */
|
|
||||||
} cipher_properties;
|
|
||||||
|
|
||||||
/* cipher attributes */
|
|
||||||
-#define SSL_kRSA 0x00000001L
|
|
||||||
-#define SSL_aRSA 0x00000002L
|
|
||||||
-#define SSL_aDSS 0x00000004L
|
|
||||||
-#define SSL_DSS SSL_aDSS
|
|
||||||
-#define SSL_eNULL 0x00000008L
|
|
||||||
-#define SSL_DES 0x00000010L
|
|
||||||
-#define SSL_3DES 0x00000020L
|
|
||||||
-#define SSL_RC4 0x00000040L
|
|
||||||
-#define SSL_RC2 0x00000080L
|
|
||||||
-#define SSL_AES 0x00000100L
|
|
||||||
-#define SSL_MD5 0x00000200L
|
|
||||||
-#define SSL_SHA1 0x00000400L
|
|
||||||
-#define SSL_SHA SSL_SHA1
|
|
||||||
-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
|
|
||||||
+#define SSL_kRSA 0x00000001L
|
|
||||||
+#define SSL_aRSA 0x00000002L
|
|
||||||
+#define SSL_aDSA 0x00000004L
|
|
||||||
+#define SSL_DSA SSL_aDSA
|
|
||||||
+#define SSL_eNULL 0x00000008L
|
|
||||||
+#define SSL_DES 0x00000010L
|
|
||||||
+#define SSL_3DES 0x00000020L
|
|
||||||
+#define SSL_RC4 0x00000040L
|
|
||||||
+#define SSL_RC2 0x00000080L
|
|
||||||
+#define SSL_AES128 0x00000100L
|
|
||||||
+#define SSL_AES256 0x00000200L
|
|
||||||
+#define SSL_MD5 0x00000400L
|
|
||||||
+#define SSL_SHA1 0x00000800L
|
|
||||||
+#define SSL_kEDH 0x00001000L
|
|
||||||
+#define SSL_CAMELLIA128 0x00002000L
|
|
||||||
+#define SSL_CAMELLIA256 0x00004000L
|
|
||||||
+#define SSL_SEED 0x00008000L
|
|
||||||
+#define SSL_kECDH 0x00010000L
|
|
||||||
+#define SSL_kECDHE 0x00020000L
|
|
||||||
+#define SSL_aECDSA 0x00040000L
|
|
||||||
+#define SSL_SHA256 0x00080000L
|
|
||||||
+#define SSL_SHA384 0x00100000L
|
|
||||||
+#define SSL_kEECDH 0x00200000L
|
|
||||||
+#define SSL_AESGCM 0x00400000L
|
|
||||||
+#define SSL_AEAD 0x00800000L
|
|
||||||
+#define SSL_aPSK 0x01000000L
|
|
||||||
+#define SSL_CHACHA20POLY1305 0x02000000L
|
|
||||||
+
|
|
||||||
+/* cipher attributes non-unique - do not use for definitions */
|
|
||||||
+#define SSL_RSA 0x00000001L
|
|
||||||
+#define SSL_AES 0x00000002L
|
|
||||||
+#define SSL_CAMELLIA 0x00000004L
|
|
||||||
+#define SSL_ECDH 0x00000008L
|
|
||||||
|
|
||||||
/* cipher strength */
|
|
||||||
#define SSL_NULL 0x00000001L
|
|
||||||
@@ -240,10 +257,15 @@ typedef struct {
|
|
||||||
#define SSL_MEDIUM 0x00000010L
|
|
||||||
#define SSL_HIGH 0x00000020L
|
|
||||||
|
|
||||||
+/* cipher strengths non-unique - do not use for definitions */
|
|
||||||
+#define SSL_EXPORT 0x00000001L
|
|
||||||
+
|
|
||||||
#define SSL2 0x00000001L
|
|
||||||
#define SSL3 0x00000002L
|
|
||||||
/* OpenSSL treats SSL3 and TLSv1 the same */
|
|
||||||
#define TLS1 SSL3
|
|
||||||
+#define TLS1_2 0x00000004L
|
|
||||||
+#define TLS1_3 0x00000008L
|
|
||||||
|
|
||||||
/* Cipher translation */
|
|
||||||
static cipher_properties ciphers_def[] = {
|
|
||||||
--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200
|
|
||||||
+++ openldap-2.4.40/include/ldap.h 2014-11-14 09:25:54.560801030 +0100
|
|
||||||
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
|
|
||||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
|
|
||||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
|
|
||||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
|
|
||||||
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
|
|
||||||
|
|
||||||
/* OpenLDAP SASL options */
|
|
||||||
#define LDAP_OPT_X_SASL_MECH 0x6100
|
|
@ -1,139 +0,0 @@
|
|||||||
Update MozNSS definitions of ciphers
|
|
||||||
|
|
||||||
Author: Matus Honek <mhonek@redhat.com>
|
|
||||||
PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -268,29 +268,109 @@ typedef struct {
|
|
||||||
|
|
||||||
/* Cipher translation */
|
|
||||||
static cipher_properties ciphers_def[] = {
|
|
||||||
- /* SSL 2 ciphers */
|
|
||||||
- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
|
|
||||||
- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
|
||||||
- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
|
||||||
- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
|
|
||||||
- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
|
||||||
- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
|
||||||
-
|
|
||||||
- /* SSL3 ciphers */
|
|
||||||
- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
|
||||||
- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
|
||||||
- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
|
|
||||||
- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
|
|
||||||
- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
|
||||||
- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
|
|
||||||
- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
|
|
||||||
- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
|
|
||||||
+
|
|
||||||
+ /* SSLv2 ciphers */
|
|
||||||
+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW},
|
|
||||||
+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH},
|
|
||||||
+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM},
|
|
||||||
+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM},
|
|
||||||
+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40},
|
|
||||||
+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40},
|
|
||||||
+
|
|
||||||
+ /* SSLv3 ciphers */
|
|
||||||
+ {"NULL-MD5", TLS_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL}, /* SSL_RSA_WITH_NULL_MD5 */
|
|
||||||
+ {"NULL-SHA", TLS_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL}, /* SSL_RSA_WITH_NULL_SHA */
|
|
||||||
+ {"DES-CBC-SHA", TLS_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, /* SSL_RSA_WITH_DES_CBC_SHA */
|
|
||||||
+ {"DES-CBC3-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, /* SSL_RSA_WITH_3DES_EDE_CBC_SHA */
|
|
||||||
+ {"RC4-MD5", TLS_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM}, /* SSL_RSA_WITH_RC4_128_MD5 */
|
|
||||||
+ {"RC4-SHA", TLS_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM}, /* SSL_RSA_WITH_RC4_128_SHA */
|
|
||||||
+ {"EXP-RC2-CBC-MD5", TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40}, /* SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
|
|
||||||
+ {"EXP-RC4-MD5", TLS_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40}, /* SSL_RSA_EXPORT_WITH_RC4_40_MD5 */
|
|
||||||
+ {"EDH-RSA-DES-CBC-SHA", TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, /* SSL_DHE_RSA_WITH_DES_CBC_SHA */
|
|
||||||
+ {"EDH-RSA-DES-CBC3-SHA", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, /* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
|
|
||||||
+ {"EDH-DSS-DES-CBC-SHA", TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, /* SSL_DHE_DSS_WITH_DES_CBC_SHA */
|
|
||||||
+ {"EDH-DSS-DES-CBC3-SHA", TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, /* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
|
|
||||||
|
|
||||||
/* TLSv1 ciphers */
|
|
||||||
- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
|
|
||||||
- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
|
|
||||||
- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
|
|
||||||
- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
|
|
||||||
+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56},
|
|
||||||
+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56},
|
|
||||||
+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM},
|
|
||||||
+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
|
|
||||||
+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
|
|
||||||
+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
|
|
||||||
+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
|
|
||||||
+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
|
|
||||||
+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
|
|
||||||
+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
|
|
||||||
+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
|
|
||||||
+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
|
|
||||||
+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
||||||
+
|
|
||||||
+ // Ciphers commented out are not in NSS yet.
|
|
||||||
+
|
|
||||||
+ {"NULL-SHA256", TLS_RSA_WITH_NULL_SHA256, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA256, TLS1_2, SSL_NULL},
|
|
||||||
+ {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"AES128-GCM-SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"AES256-GCM-SHA384", 0x009d /* TLS_RSA_WITH_AES_256_GCM_SHA384 */, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+
|
|
||||||
+ {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"DHE-RSA-AES128-GCM-SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"DHE-RSA-AES256-GCM-SHA384", 0x009f /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+
|
|
||||||
+ {"DHE-DSS-AES128-SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"DHE-DSS-AES256-SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"DHE-DSS-AES128-GCM-SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"DHE-DSS-AES128-GCM-SHA256", 0x00a3 /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ //{"DHE-DSS-AES128-GCM-SHA384", TLS_DHE_DSS_WITH_AES_128_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+
|
|
||||||
+ {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"ECDHE-ECDSA-AES128-GCM-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"ECDHE-RSA-AES128-GCM-SHA256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"ECDHE-ECDSA-AES256-GCM-SHA384", 0xc02c /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"ECDHE-RSA-AES256-GCM-SHA384", 0xc030 /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"ECDHE-ECDSA-AES256-SHA384", 0xc024 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"ECDHE-RSA-AES256-SHA384", 0xc028 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
|
|
||||||
+
|
|
||||||
+ {"ECDHE-PSK-AES128-GCM-SHA256", 0xd001 /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */, SSL_kECDHE|SSL_aPSK|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"ECDHE-PSK-CHACHA20-POLY1305", 0xccac /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aPSK|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"ECDHE-PSK-AES256-GCM-SHA384", 0xd002 /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */, SSL_kECDHE|SSL_aPSK|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"", 0x00aa /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */, SSL_kEDH|SSL_aPSK|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"", 0xccad /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aPSK|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ {"", 0x00ab /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */, SSL_kEDH|SSL_aPSK|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ //{"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ //{"ECDHE-RSA-CHACHA20-POLY1305", 0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+ //{"DHE-RSA-CHACHA20-POLY1305", 0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
||||||
+
|
|
||||||
+ // TLSv1.3
|
|
||||||
+ {"TLS13-AES-128-GCM-SHA256", 0x1301 /* TLS_AES_128_GCM_SHA256 */, SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_3, SSL_HIGH},
|
|
||||||
+ {"TLS13-AES-256-GCM-SHA384", 0x1302 /* TLS_AES_256_GCM_SHA384 */, SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_3, SSL_HIGH},
|
|
||||||
+ {"TLS13-CHACHA20-POLY1305-SHA256", 0x1303 /* TLS_CHACHA20_POLY1305_SHA256 */, SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_3, SSL_HIGH},
|
|
||||||
};
|
|
||||||
|
|
||||||
#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
|
|
@ -1,196 +0,0 @@
|
|||||||
Update MozNSS OpenSSL-like parsing code
|
|
||||||
|
|
||||||
Author: Matus Honek <mhonek@redhat.com>
|
|
||||||
PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -617,10 +617,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
|
||||||
while ((*cipher) && (isspace(*cipher)))
|
|
||||||
++cipher;
|
|
||||||
|
|
||||||
- action = 1;
|
|
||||||
switch(*cipher) {
|
|
||||||
- case '+': /* Add something */
|
|
||||||
- action = 1;
|
|
||||||
+ case '+': /* Do nothig. NSS does not support ordering. */
|
|
||||||
+ Debug( LDAP_DEBUG_ARGS,
|
|
||||||
+ "TLS: warning: parsing cipher string: ordering is not supported by NSS.\n",
|
|
||||||
+ 0, 0, 0 );
|
|
||||||
+ action = 2;
|
|
||||||
cipher++;
|
|
||||||
break;
|
|
||||||
case '-': /* Subtract something */
|
|
||||||
@@ -631,8 +633,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
|
||||||
action = -1;
|
|
||||||
cipher++;
|
|
||||||
break;
|
|
||||||
- default:
|
|
||||||
- /* do nothing */
|
|
||||||
+ default: /* Add something */
|
|
||||||
+ action = 1;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -666,7 +668,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
int mask = 0;
|
|
||||||
+ int multi_mask = 0;
|
|
||||||
+ int negative_mask = 0;
|
|
||||||
int strength = 0;
|
|
||||||
+ int multi_strength = 0;
|
|
||||||
int protocol = 0;
|
|
||||||
char *c;
|
|
||||||
|
|
||||||
@@ -677,12 +682,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
|
||||||
*c++ = '\0';
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!strcmp(cipher, "RSA")) {
|
|
||||||
- mask |= SSL_RSA;
|
|
||||||
+ if ((!strcmp(cipher, "RSA")) || (!strcmp(cipher, "kRSA"))) {
|
|
||||||
+ mask |= SSL_kRSA;
|
|
||||||
+ } else if (!strcmp(cipher, "aRSA")) {
|
|
||||||
+ mask |= SSL_aRSA;
|
|
||||||
+ negative_mask |= SSL_kECDH;
|
|
||||||
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
|
|
||||||
mask |= SSL_eNULL;
|
|
||||||
+ } else if (!strcmp(cipher, "AES128")) {
|
|
||||||
+ mask |= SSL_AES128;
|
|
||||||
+ } else if (!strcmp(cipher, "AES256")) {
|
|
||||||
+ mask |= SSL_AES256;
|
|
||||||
+ } else if (!strcmp(cipher, "AESGCM")) {
|
|
||||||
+ mask |= SSL_AESGCM;
|
|
||||||
} else if (!strcmp(cipher, "AES")) {
|
|
||||||
- mask |= SSL_AES;
|
|
||||||
+ multi_mask |= SSL_AES;
|
|
||||||
} else if (!strcmp(cipher, "3DES")) {
|
|
||||||
mask |= SSL_3DES;
|
|
||||||
} else if (!strcmp(cipher, "DES")) {
|
|
||||||
@@ -693,26 +707,69 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
|
||||||
mask |= SSL_RC2;
|
|
||||||
} else if (!strcmp(cipher, "MD5")) {
|
|
||||||
mask |= SSL_MD5;
|
|
||||||
+ } else if (!strcmp(cipher, "SHA256")) {
|
|
||||||
+ mask |= SSL_SHA256;
|
|
||||||
+ } else if (!strcmp(cipher, "SHA384")) {
|
|
||||||
+ mask |= SSL_SHA384;
|
|
||||||
} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
|
|
||||||
mask |= SSL_SHA1;
|
|
||||||
+ } else if ((!strcmp(cipher, "EDH")) || (!strcmp(cipher, "DH"))) {
|
|
||||||
+ mask |= SSL_kEDH;
|
|
||||||
+ } else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) {
|
|
||||||
+ mask |= SSL_aDSA;
|
|
||||||
+ } else if (!strcmp(cipher, "CAMELLIA128")) {
|
|
||||||
+ mask |= SSL_CAMELLIA128;
|
|
||||||
+ } else if (!strcmp(cipher, "CAMELLIA256")) {
|
|
||||||
+ mask |= SSL_CAMELLIA256;
|
|
||||||
+ } else if (!strcmp(cipher, "CAMELLIA")) {
|
|
||||||
+ multi_mask |= SSL_CAMELLIA;
|
|
||||||
+ } else if (!strcmp(cipher, "SEED")) {
|
|
||||||
+ mask |= SSL_SEED;
|
|
||||||
+ } else if (!strcmp(cipher, "kECDHe")) {
|
|
||||||
+ mask |= SSL_kECDH|SSL_aECDSA;
|
|
||||||
+ } else if (!strcmp(cipher, "kECDHr")) {
|
|
||||||
+ mask |= SSL_kECDH|SSL_aRSA;
|
|
||||||
+ } else if (!strcmp(cipher, "kECDH")) {
|
|
||||||
+ mask |= SSL_kECDH;
|
|
||||||
+ } else if (!strcmp(cipher, "aECDH")) {
|
|
||||||
+ mask |= SSL_kECDH;
|
|
||||||
+ } else if (!strcmp(cipher, "EECDH")) {
|
|
||||||
+ mask |= SSL_kECDHE;
|
|
||||||
+ } else if (!strcmp(cipher, "kEECDH")) {
|
|
||||||
+ mask |= SSL_kECDHE;
|
|
||||||
+ } else if (!strcmp(cipher, "ECDHE")) {
|
|
||||||
+ mask |= SSL_kECDHE;
|
|
||||||
+ } else if (!strcmp(cipher, "ECDH")) {
|
|
||||||
+ multi_mask |= SSL_ECDH;
|
|
||||||
+ } else if ((!strcmp(cipher, "ECDSA")) || (!strcmp(cipher, "aECDSA"))) {
|
|
||||||
+ mask |= SSL_aECDSA;
|
|
||||||
+ negative_mask |= SSL_kECDH;
|
|
||||||
+ } else if (!strcmp(cipher, "PSK")) {
|
|
||||||
+ mask |= SSL_aPSK;
|
|
||||||
+ } else if (!strcmp(cipher, "CHACHA20POLY1305")) {
|
|
||||||
+ mask |= SSL_CHACHA20POLY1305;
|
|
||||||
} else if (!strcmp(cipher, "SSLv2")) {
|
|
||||||
protocol |= SSL2;
|
|
||||||
} else if (!strcmp(cipher, "SSLv3")) {
|
|
||||||
protocol |= SSL3;
|
|
||||||
} else if (!strcmp(cipher, "TLSv1")) {
|
|
||||||
protocol |= TLS1;
|
|
||||||
+ } else if (!strcmp(cipher, "TLSv1.2")) {
|
|
||||||
+ protocol |= TLS1_2;
|
|
||||||
+ } else if (!strcmp(cipher, "TLSv1.3")) {
|
|
||||||
+ protocol |= TLS1_3;
|
|
||||||
} else if (!strcmp(cipher, "HIGH")) {
|
|
||||||
strength |= SSL_HIGH;
|
|
||||||
} else if (!strcmp(cipher, "MEDIUM")) {
|
|
||||||
strength |= SSL_MEDIUM;
|
|
||||||
} else if (!strcmp(cipher, "LOW")) {
|
|
||||||
strength |= SSL_LOW;
|
|
||||||
- } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) {
|
|
||||||
- strength |= SSL_EXPORT40|SSL_EXPORT56;
|
|
||||||
} else if (!strcmp(cipher, "EXPORT40")) {
|
|
||||||
strength |= SSL_EXPORT40;
|
|
||||||
} else if (!strcmp(cipher, "EXPORT56")) {
|
|
||||||
strength |= SSL_EXPORT56;
|
|
||||||
+ } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) {
|
|
||||||
+ multi_strength |= SSL_EXPORT;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (c)
|
|
||||||
@@ -720,23 +775,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
|
||||||
|
|
||||||
} /* while */
|
|
||||||
|
|
||||||
+ /* NSS does not support ordering */
|
|
||||||
+ if (action == 2)
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
/* If we have a mask, apply it. If not then perhaps they provided
|
|
||||||
* a specific cipher to enable.
|
|
||||||
+ * if more than one mask is provided then AND logic applies (to match openssl)
|
|
||||||
*/
|
|
||||||
- if (mask || strength || protocol) {
|
|
||||||
+ if (mask || negative_mask || multi_mask || strength || multi_strength || protocol) {
|
|
||||||
for (i=0; i<ciphernum; i++) {
|
|
||||||
- if (((ciphers_def[i].attr & mask) ||
|
|
||||||
- (ciphers_def[i].strength & strength) ||
|
|
||||||
- (ciphers_def[i].version & protocol)) &&
|
|
||||||
- (cipher_list[i] != -1)) {
|
|
||||||
- /* Enable the NULL ciphers only if explicity
|
|
||||||
- * requested */
|
|
||||||
- if (ciphers_def[i].attr & SSL_eNULL) {
|
|
||||||
- if (mask & SSL_eNULL)
|
|
||||||
- cipher_list[i] = action;
|
|
||||||
- } else
|
|
||||||
- cipher_list[i] = action;
|
|
||||||
- }
|
|
||||||
+ if ( cipher_list[i] == -1 )
|
|
||||||
+ continue;
|
|
||||||
+ if ( mask != (ciphers_def[i].attr & mask) )
|
|
||||||
+ continue;
|
|
||||||
+ if ( strength != (ciphers_def[i].strength & strength) )
|
|
||||||
+ continue;
|
|
||||||
+ if ( protocol != (ciphers_def[i].version & protocol) )
|
|
||||||
+ continue;
|
|
||||||
+ if ((multi_mask & SSL_AES) &&
|
|
||||||
+ !(ciphers_def[i].attr & (SSL_AES128|SSL_AES256|SSL_AESGCM)))
|
|
||||||
+ continue;
|
|
||||||
+ if ((multi_mask & SSL_ECDH) &&
|
|
||||||
+ !(ciphers_def[i].attr & (SSL_kECDH|SSL_kECDHE)))
|
|
||||||
+ continue;
|
|
||||||
+ if ((multi_mask & SSL_CAMELLIA) &&
|
|
||||||
+ !(ciphers_def[i].attr & (SSL_CAMELLIA128|SSL_CAMELLIA256)))
|
|
||||||
+ continue;
|
|
||||||
+ if ((multi_strength & SSL_EXPORT) &&
|
|
||||||
+ !(ciphers_def[i].strength & (SSL_EXPORT40|SSL_EXPORT56)))
|
|
||||||
+ continue;
|
|
||||||
+ if ( negative_mask & ciphers_def[i].attr )
|
|
||||||
+ continue;
|
|
||||||
+ cipher_list[i] = action;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
for (i=0; i<ciphernum; i++) {
|
|
@ -1,27 +0,0 @@
|
|||||||
Use what NSS considers default for DEFAULT cipher string.
|
|
||||||
|
|
||||||
Author: Matus Honek <mhonek@redhat.com>
|
|
||||||
Resolves: #1387868
|
|
||||||
Backports: #1245279 #1300701
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -645,7 +645,16 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
|
||||||
}
|
|
||||||
} else if (!strcmp(cipher, "DEFAULT")) {
|
|
||||||
for (i=0; i<ciphernum; i++) {
|
|
||||||
- cipher_list[i] = ciphers_def[i].enabled == SSL_ALLOWED ? 1 : 0;
|
|
||||||
+ PRBool enabled;
|
|
||||||
+ if (SSL_CipherPrefGetDefault(ciphers_def[i].num, &enabled) == SECSuccess) {
|
|
||||||
+ if (!(ciphers_def[i].attr & SSL_eNULL)) {
|
|
||||||
+ cipher_list[i] = enabled == SSL_ALLOWED ? 1 : 0;
|
|
||||||
+ } else {
|
|
||||||
+ cipher_list[i] = -1;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ cipher_list[i] = -1;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
int mask = 0;
|
|
@ -1,34 +0,0 @@
|
|||||||
MozNSS: default cipher suite always selected
|
|
||||||
|
|
||||||
Author: Tim Strobell <tim.strobell.ctr@nrl.navy.mil>
|
|
||||||
Upstream ITS: #7285
|
|
||||||
Upstream commit: 2c2bb2e7aee1b2167f383a8344985a1cf66aff3f
|
|
||||||
Resolves: #828790
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
index 23d843c..b608551 100644
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -2218,12 +2218,13 @@ tlsm_deferred_ctx_init( void *arg )
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ( lt->lt_ciphersuite &&
|
|
||||||
- tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
|
|
||||||
- Debug( LDAP_DEBUG_ANY,
|
|
||||||
- "TLS: could not set cipher list %s.\n",
|
|
||||||
- lt->lt_ciphersuite, 0, 0 );
|
|
||||||
- return -1;
|
|
||||||
+ if ( lt->lt_ciphersuite ) {
|
|
||||||
+ if ( tlsm_parse_ciphers( ctx, lt->lt_ciphersuite ) ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: could not set cipher list %s.\n",
|
|
||||||
+ lt->lt_ciphersuite, 0, 0 );
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
} else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
|
|
||||||
Debug( LDAP_DEBUG_ANY,
|
|
||||||
"TLS: could not set cipher list DEFAULT.\n",
|
|
||||||
--
|
|
||||||
1.7.10.4
|
|
||||||
|
|
@ -1,47 +0,0 @@
|
|||||||
MozNSS: ignore certdb database type prefix when checking existence of the directory
|
|
||||||
|
|
||||||
If the certdb is specified including the database type prefix (e.g.
|
|
||||||
sql:, dbm:), the prefix has to be ignored when checking the
|
|
||||||
certificate directory existence.
|
|
||||||
|
|
||||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
|
||||||
Upstream ITS: #7388
|
|
||||||
Resolves: #857373
|
|
||||||
|
|
||||||
---
|
|
||||||
libraries/libldap/tls_m.c | 11 ++++++++++-
|
|
||||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
index 49a3f8f..5ee21a2 100644
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -1633,6 +1633,7 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
|
|
||||||
{
|
|
||||||
char sep = PR_GetDirectorySeparator();
|
|
||||||
char *ptr = NULL;
|
|
||||||
+ char *chkpath = NULL;
|
|
||||||
struct PRFileInfo prfi;
|
|
||||||
PRStatus prc;
|
|
||||||
|
|
||||||
@@ -1643,8 +1644,16 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
- prc = PR_GetFileInfo( certdir, &prfi );
|
|
||||||
+ /* ignore database type prefix (e.g. sql:, dbm:) if provided */
|
|
||||||
+ chkpath = strchr( certdir, ':' );
|
|
||||||
+ if ( chkpath != NULL ) {
|
|
||||||
+ chkpath += 1;
|
|
||||||
+ } else {
|
|
||||||
+ chkpath = certdir;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* if certdir exists (file or directory) then it cannot specify a prefix */
|
|
||||||
+ prc = PR_GetFileInfo( chkpath, &prfi );
|
|
||||||
if ( prc == PR_SUCCESS ) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
1.7.11.7
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,23 +0,0 @@
|
|||||||
Resolves: #929357
|
|
||||||
|
|
||||||
Upstream commit: 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec
|
|
||||||
Author: Rich Megginson <rmeggins@redhat.com>
|
|
||||||
Date: Thu, 28 Mar 2013 19:05:02 -0600
|
|
||||||
Modified by: Jan Synacek <jsynacek@redhat.com>
|
|
||||||
|
|
||||||
This patch has been re-diffed so it clearly applies to OpenLDAP 2.4.39.
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
index 072d41d..c59d303 100644
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -2151,6 +2151,8 @@
|
|
||||||
"TLS: could not close certdb slot - error %d:%s.\n",
|
|
||||||
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
|
||||||
}
|
|
||||||
+ PK11_FreeSlot( c->tc_certdb_slot );
|
|
||||||
+ c->tc_certdb_slot = NULL;
|
|
||||||
}
|
|
||||||
if ( c->tc_pin_file ) {
|
|
||||||
PL_strfree( c->tc_pin_file );
|
|
||||||
|
|
@ -1,71 +0,0 @@
|
|||||||
Implement new API for setting TLS protocol version.
|
|
||||||
|
|
||||||
The code being deleted has been misplaced and it's effect has been
|
|
||||||
mangled by a code later on. This patch puts the code at the correct
|
|
||||||
place and introduces some more logging and error checking.
|
|
||||||
|
|
||||||
Author: Matus Honek <mhonek@redhat.com>
|
|
||||||
RHBZ: #1375432
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg )
|
|
||||||
0, 0, 0 );
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+ if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) {
|
|
||||||
+ SSLVersionRange supported_range, default_range, selected_range;
|
|
||||||
+ if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n",
|
|
||||||
+ 0, 0, 0 );
|
|
||||||
+ return -1;
|
|
||||||
+ } else {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n",
|
|
||||||
+ supported_range.min, supported_range.max, 0);
|
|
||||||
+ }
|
|
||||||
+ if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n",
|
|
||||||
+ 0, 0, 0 );
|
|
||||||
+ return -1;
|
|
||||||
+ } else {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n",
|
|
||||||
+ default_range.min, default_range.max, 0);
|
|
||||||
+ }
|
|
||||||
+ selected_range.min = lt->lt_protocol_min;
|
|
||||||
+ selected_range.max = default_range.max;
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: info: TLS configured protocol minimal version is %#04x, the maximal version (the NSS default) is %#04x.\n",
|
|
||||||
+ selected_range.min, selected_range.max, 0);
|
|
||||||
+ if ( (selected_range.min > supported_range.max) ||
|
|
||||||
+ (selected_range.max < supported_range.min) ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: error: selected protocol version range out of NSS-supported version range.\n",
|
|
||||||
+ 0, 0, 0);
|
|
||||||
+ return -1;
|
|
||||||
+ } else {
|
|
||||||
+ if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n",
|
|
||||||
+ 0, 0, 0);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n",
|
|
||||||
+ 0, 0, 0);
|
|
||||||
+ return -1;
|
|
||||||
+ } else {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n",
|
|
||||||
+ selected_range.min, selected_range.max, 0);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) {
|
|
||||||
Debug( LDAP_DEBUG_ANY,
|
|
@ -1,91 +0,0 @@
|
|||||||
MozNSS: better file name matching for hashed CA certificate directory
|
|
||||||
|
|
||||||
CA certificate files in OpenSSL compatible CACERTDIR were loaded if the file extension was '.0'. However the file name
|
|
||||||
should be 8 letters long certificate hash of the certificate subject name, followed by a numeric suffix which is used
|
|
||||||
to differentiate between two certificates with the same subject name.
|
|
||||||
|
|
||||||
Wit this patch, certificate file names are matched correctly (using regular expressions).
|
|
||||||
|
|
||||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
|
||||||
Upstream ITS: #7374
|
|
||||||
Resolves: #852786
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
index 5e49fc5..61d71d4 100644
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -38,6 +38,7 @@
|
|
||||||
#include <ac/unistd.h>
|
|
||||||
#include <ac/param.h>
|
|
||||||
#include <ac/dirent.h>
|
|
||||||
+#include <ac/regex.h>
|
|
||||||
|
|
||||||
#include "ldap-int.h"
|
|
||||||
#include "ldap-tls.h"
|
|
||||||
@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods;
|
|
||||||
|
|
||||||
#define PEM_LIBRARY "nsspem"
|
|
||||||
#define PEM_MODULE "PEM"
|
|
||||||
-/* hash files for use with cacertdir have this file name suffix */
|
|
||||||
-#define PEM_CA_HASH_FILE_SUFFIX ".0"
|
|
||||||
-#define PEM_CA_HASH_FILE_SUFFIX_LEN 2
|
|
||||||
+#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$"
|
|
||||||
|
|
||||||
static SECMODModule *pem_module;
|
|
||||||
|
|
||||||
@@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
|
|
||||||
PRDir *dir;
|
|
||||||
PRDirEntry *entry;
|
|
||||||
PRStatus fistatus = PR_FAILURE;
|
|
||||||
+ regex_t hashfile_re;
|
|
||||||
|
|
||||||
memset( &fi, 0, sizeof(fi) );
|
|
||||||
fistatus = PR_GetFileInfo( cacertdir, &fi );
|
|
||||||
@@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 );
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
do {
|
|
||||||
entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
|
|
||||||
if ( ( NULL != entry ) && ( NULL != entry->name ) ) {
|
|
||||||
char *fullpath = NULL;
|
|
||||||
- char *ptr;
|
|
||||||
+ int match;
|
|
||||||
|
|
||||||
- ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX );
|
|
||||||
- if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) {
|
|
||||||
+ match = regexec( &hashfile_re, entry->name, 0, NULL, 0 );
|
|
||||||
+ if ( match == REG_NOMATCH ) {
|
|
||||||
Debug( LDAP_DEBUG_TRACE,
|
|
||||||
- "TLS: file %s does not end in [%s] - does not appear to be a CA certificate "
|
|
||||||
- "directory file with a properly hashed file name - skipping.\n",
|
|
||||||
- entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 );
|
|
||||||
+ "TLS: skipping '%s' - filename does not have expected format "
|
|
||||||
+ "(certificate hash with numeric suffix)\n", entry->name, 0, 0 );
|
|
||||||
+ continue;
|
|
||||||
+ } else if ( match != 0 ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: cannot execute regex for CA hash file matching (%d).\n",
|
|
||||||
+ match, 0, 0 );
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
|
|
||||||
if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
|
|
||||||
Debug( LDAP_DEBUG_TRACE,
|
|
||||||
@@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
|
|
||||||
PR_smprintf_free( fullpath );
|
|
||||||
}
|
|
||||||
} while ( NULL != entry );
|
|
||||||
+ regfree ( &hashfile_re );
|
|
||||||
PR_CloseDir( dir );
|
|
||||||
}
|
|
||||||
done:
|
|
||||||
--
|
|
||||||
1.7.11.4
|
|
||||||
|
|
@ -1,92 +0,0 @@
|
|||||||
TLS: do not reuse tls_session if hostname check fails
|
|
||||||
|
|
||||||
If multiple servers are specified, the connection to the first one succeeds, and the hostname verification fails,
|
|
||||||
*tls_session is not dropped, but reused when connecting to the second server.
|
|
||||||
|
|
||||||
This is a problem with Mozilla NSS backend because another handshake cannot be performed on the same file descriptor.
|
|
||||||
From this reason, hostname checking was moved into ldap_int_tls_connect() before connection error handling.
|
|
||||||
|
|
||||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
|
||||||
Upstream ITS: #7373
|
|
||||||
Resolves: #852476
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
|
||||||
index 10b993b..a3cd590 100644
|
|
||||||
--- a/libraries/libldap/tls2.c
|
|
||||||
+++ b/libraries/libldap/tls2.c
|
|
||||||
@@ -320,7 +320,7 @@ update_flags( Sockbuf *sb, tls_session * ssl, int rc )
|
|
||||||
*/
|
|
||||||
|
|
||||||
static int
|
|
||||||
-ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
|
|
||||||
+ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
|
|
||||||
{
|
|
||||||
Sockbuf *sb = conn->lconn_sb;
|
|
||||||
int err;
|
|
||||||
@@ -365,6 +365,10 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
|
|
||||||
errno = WSAGetLastError();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ if ( err == 0 ) {
|
|
||||||
+ err = ldap_pvt_tls_check_hostname( ld, ssl, host );
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if ( err < 0 )
|
|
||||||
{
|
|
||||||
char buf[256], *msg;
|
|
||||||
@@ -495,7 +499,15 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
|
|
||||||
{
|
|
||||||
tls_session *session = s;
|
|
||||||
|
|
||||||
- return tls_imp->ti_session_chkhost( ld, session, name_in );
|
|
||||||
+ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
|
|
||||||
+ ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
|
|
||||||
+ ld->ld_errno = tls_imp->ti_session_chkhost( ld, session, name_in );
|
|
||||||
+ if (ld->ld_errno != LDAP_SUCCESS) {
|
|
||||||
+ return ld->ld_errno;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return LDAP_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
@@ -857,7 +869,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
|
|
||||||
#endif /* LDAP_USE_NON_BLOCKING_TLS */
|
|
||||||
|
|
||||||
ld->ld_errno = LDAP_SUCCESS;
|
|
||||||
- ret = ldap_int_tls_connect( ld, conn );
|
|
||||||
+ ret = ldap_int_tls_connect( ld, conn, host );
|
|
||||||
|
|
||||||
#ifdef LDAP_USE_NON_BLOCKING_TLS
|
|
||||||
while ( ret > 0 ) { /* this should only happen for non-blocking io */
|
|
||||||
@@ -878,7 +890,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
|
|
||||||
} else {
|
|
||||||
/* ldap_int_poll called ldap_pvt_ndelay_off */
|
|
||||||
ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb );
|
|
||||||
- ret = ldap_int_tls_connect( ld, conn );
|
|
||||||
+ ret = ldap_int_tls_connect( ld, conn, host );
|
|
||||||
if ( ret > 0 ) { /* need to call tls_connect once more */
|
|
||||||
struct timeval curr_time_tv, delta_tv;
|
|
||||||
|
|
||||||
@@ -935,20 +947,6 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
|
|
||||||
return (ld->ld_errno);
|
|
||||||
}
|
|
||||||
|
|
||||||
- ssl = ldap_pvt_tls_sb_ctx( sb );
|
|
||||||
- assert( ssl != NULL );
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * compare host with name(s) in certificate
|
|
||||||
- */
|
|
||||||
- if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
|
|
||||||
- ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
|
|
||||||
- ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
|
|
||||||
- if (ld->ld_errno != LDAP_SUCCESS) {
|
|
||||||
- return ld->ld_errno;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
return LDAP_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
1776
openldap-tlsmc.patch
Normal file
1776
openldap-tlsmc.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
Name: openldap
|
Name: openldap
|
||||||
Version: 2.4.45
|
Version: 2.4.45
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Summary: LDAP support libraries
|
Summary: LDAP support libraries
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
License: OpenLDAP
|
License: OpenLDAP
|
||||||
@ -27,12 +27,6 @@ Patch1: openldap-sql-linking.patch
|
|||||||
Patch2: openldap-reentrant-gethostby.patch
|
Patch2: openldap-reentrant-gethostby.patch
|
||||||
Patch3: openldap-smbk5pwd-overlay.patch
|
Patch3: openldap-smbk5pwd-overlay.patch
|
||||||
Patch5: openldap-ai-addrconfig.patch
|
Patch5: openldap-ai-addrconfig.patch
|
||||||
# nss patches, unlikely to ever get upstreamed
|
|
||||||
Patch12: openldap-tls-no-reuse-of-tls_session.patch
|
|
||||||
Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch
|
|
||||||
Patch14: openldap-nss-ignore-certdb-type-prefix.patch
|
|
||||||
Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch
|
|
||||||
Patch16: openldap-nss-pk11-freeslot.patch
|
|
||||||
Patch17: openldap-allop-overlay.patch
|
Patch17: openldap-allop-overlay.patch
|
||||||
|
|
||||||
# fix back_perl problems with lt_dlopen()
|
# fix back_perl problems with lt_dlopen()
|
||||||
@ -42,24 +36,16 @@ Patch17: openldap-allop-overlay.patch
|
|||||||
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
|
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
|
||||||
# ldapi sasl fix pending upstream inclusion
|
# ldapi sasl fix pending upstream inclusion
|
||||||
Patch20: openldap-ldapi-sasl.patch
|
Patch20: openldap-ldapi-sasl.patch
|
||||||
Patch22: openldap-nss-protocol-version-new-api.patch
|
|
||||||
|
|
||||||
Patch50: openldap-nss-cipher-attributes.patch
|
|
||||||
Patch51: openldap-nss-ciphers-parsing.patch
|
|
||||||
Patch52: openldap-nss-ciphers-use-nss-defaults.patch
|
|
||||||
Patch53: openldap-nss-ciphers-definitions.patch
|
|
||||||
|
|
||||||
# check-password module specific patches
|
# check-password module specific patches
|
||||||
Patch90: check-password-makefile.patch
|
Patch90: check-password-makefile.patch
|
||||||
Patch91: check-password.patch
|
Patch91: check-password.patch
|
||||||
|
|
||||||
# Fedora specific patches
|
# MozNSS compatibility layer
|
||||||
Patch100: openldap-autoconf-pkgconfig-nss.patch
|
Patch100: openldap-tlsmc.patch
|
||||||
|
|
||||||
BuildRequires: cyrus-sasl-devel, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
|
BuildRequires: cyrus-sasl-devel, nss-devel, openssl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
|
||||||
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-interpreter, perl-devel, perl-generators, perl(ExtUtils::Embed)
|
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-interpreter, perl-devel, perl-generators, perl(ExtUtils::Embed)
|
||||||
# smbk5pwd overlay:
|
|
||||||
BuildRequires: openssl-devel
|
|
||||||
Recommends: nss-tools
|
Recommends: nss-tools
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -126,13 +112,12 @@ programs needed for accessing and modifying OpenLDAP directories.
|
|||||||
|
|
||||||
pushd openldap-%{version}
|
pushd openldap-%{version}
|
||||||
|
|
||||||
# use pkg-config for Mozilla NSS library
|
|
||||||
%patch100 -p1
|
|
||||||
|
|
||||||
# alternative include paths for Mozilla NSS
|
# alternative include paths for Mozilla NSS
|
||||||
ln -s %{_includedir}/nss3 include/nss
|
ln -s %{_includedir}/nss3 include/nss
|
||||||
ln -s %{_includedir}/nspr4 include/nspr
|
ln -s %{_includedir}/nspr4 include/nspr
|
||||||
|
|
||||||
|
%patch100 -p1
|
||||||
|
|
||||||
AUTOMAKE=%{_bindir}/true autoreconf -fi
|
AUTOMAKE=%{_bindir}/true autoreconf -fi
|
||||||
|
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
@ -140,20 +125,9 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
|
|||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch12 -p1
|
|
||||||
%patch13 -p1
|
|
||||||
%patch14 -p1
|
|
||||||
%patch15 -p1
|
|
||||||
%patch16 -p1
|
|
||||||
%patch17 -p1
|
%patch17 -p1
|
||||||
%patch19 -p1
|
%patch19 -p1
|
||||||
%patch20 -p1
|
%patch20 -p1
|
||||||
%patch22 -p1
|
|
||||||
|
|
||||||
%patch50 -p1
|
|
||||||
%patch51 -p1
|
|
||||||
%patch52 -p1
|
|
||||||
%patch53 -p1
|
|
||||||
|
|
||||||
# build smbk5pwd with other overlays
|
# build smbk5pwd with other overlays
|
||||||
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
|
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
|
||||||
@ -219,11 +193,12 @@ pushd openldap-%{version}
|
|||||||
\
|
\
|
||||||
--disable-static \
|
--disable-static \
|
||||||
\
|
\
|
||||||
|
--enable-moznss-compatibility=yes \
|
||||||
|
\
|
||||||
--with-cyrus-sasl \
|
--with-cyrus-sasl \
|
||||||
--without-fetch \
|
--without-fetch \
|
||||||
--with-threads \
|
--with-threads \
|
||||||
--with-pic \
|
--with-pic \
|
||||||
--with-tls=moznss \
|
|
||||||
--with-gnu-ld \
|
--with-gnu-ld \
|
||||||
\
|
\
|
||||||
--libexecdir=%{_libdir}
|
--libexecdir=%{_libdir}
|
||||||
@ -546,6 +521,9 @@ exit 0
|
|||||||
%{_mandir}/man3/*
|
%{_mandir}/man3/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Nov 3 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-4
|
||||||
|
- Build with OpenSSL with MozNSS compatibility layer (#1400570)
|
||||||
|
|
||||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-3
|
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-3
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user