fix: default encryption strength dropped in switch to using NSS
Resolves: #669446
This commit is contained in:
parent
4afcb000ed
commit
a44fb64495
43
openldap-nss-cipher-suites.patch
Normal file
43
openldap-nss-cipher-suites.patch
Normal file
@ -0,0 +1,43 @@
|
||||
Makes tls_m use the "DEFAULT" list and adds more cipher suites to the default list.
|
||||
|
||||
Upstream ITS: #6790
|
||||
Resolves: #669446
|
||||
Author: Rich Megginson <rmeggins@redhat.com>
|
||||
|
||||
diff -uNrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/libldap/tls_m.c
|
||||
--- openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:23:45.326428779 +0100
|
||||
+++ openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:25:05.667128309 +0100
|
||||
@@ -214,7 +214,7 @@ static cipher_properties ciphers_def[] =
|
||||
|
||||
/* SSL3 ciphers */
|
||||
{"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_NOT_ALLOWED},
|
||||
+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
{"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
|
||||
{"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
|
||||
{"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
||||
@@ -225,8 +225,8 @@ static cipher_properties ciphers_def[] =
|
||||
/* TLSv1 ciphers */
|
||||
{"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
|
||||
{"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
|
||||
- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_NOT_ALLOWED},
|
||||
- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_NOT_ALLOWED},
|
||||
+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
|
||||
};
|
||||
|
||||
#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
|
||||
@@ -2016,7 +2016,12 @@ tlsm_deferred_ctx_init( void *arg )
|
||||
"TLS: could not set cipher list %s.\n",
|
||||
lt->lt_ciphersuite, 0, 0 );
|
||||
return -1;
|
||||
- }
|
||||
+ } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
|
||||
+ Debug( LDAP_DEBUG_ANY,
|
||||
+ "TLS: could not set cipher list DEFAULT.\n",
|
||||
+ 0, 0, 0 );
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
if ( ctx->tc_require_cert ) {
|
||||
request_cert = PR_TRUE;
|
@ -39,6 +39,9 @@ Patch106: openldap-improve-trace-messages.patch
|
||||
Patch107: openldap-nss-non-blocking.patch
|
||||
Patch108: openldap-verify-self-issued-certs.patch
|
||||
|
||||
# patches sent upstream
|
||||
Patch109: openldap-nss-cipher-suites.patch
|
||||
|
||||
# patches for the evolution library (see README.evolution)
|
||||
Patch200: openldap-evolution-ntlm.patch
|
||||
|
||||
@ -148,6 +151,7 @@ pushd openldap-%{version}
|
||||
%patch106 -p1 -b .improve-trace-messages
|
||||
%patch107 -p1 -b .nss-non-blocking
|
||||
%patch108 -p1 -b .verify-self-issued-certs
|
||||
%patch109 -p1 -b .nss-cipher-suites
|
||||
|
||||
cp %{_datadir}/libtool/config/config.{sub,guess} build/
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user