Implement new API for setting TLS protocol version. The code being deleted has been misplaced and it's effect has been mangled by a code later on. This patch puts the code at the correct place and introduces some more logging and error checking. Author: Matus Honek RHBZ: #1375432 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c @@ -2019,16 +2019,6 @@ tlsm_deferred_init( void *arg ) } } - /* - * Set the SSL version range. MozNSS SSL versions are the same as openldap's: - * - * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* - */ - SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */ - range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min; - variant = ssl_variant_stream; - SSL_VersionRangeSetDefault(variant, &range); - NSS_SetDomesticPolicy(); PK11_SetPasswordFunc( tlsm_pin_prompt ); @@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg ) 0, 0, 0 ); return -1; } + if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) { + SSLVersionRange supported_range, default_range, selected_range; + if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) { + Debug( LDAP_DEBUG_ANY, + "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n", + 0, 0, 0 ); + return -1; + } else { + Debug( LDAP_DEBUG_ANY, + "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n", + supported_range.min, supported_range.max, 0); + } + if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) { + Debug( LDAP_DEBUG_ANY, + "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n", + 0, 0, 0 ); + return -1; + } else { + Debug( LDAP_DEBUG_ANY, + "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n", + default_range.min, default_range.max, 0); + } + selected_range.min = lt->lt_protocol_min; + selected_range.max = supported_range.max; + Debug( LDAP_DEBUG_ANY, + "TLS: info: TLS configured protocol minimal version is %#04x.\n", + selected_range.min, selected_range.max, 0); + if ( (selected_range.min > supported_range.max) || + (selected_range.max < supported_range.min) ) { + Debug( LDAP_DEBUG_ANY, + "TLS: error: selected protocol version range out of NSS-supported version range.\n", + 0, 0, 0); + return -1; + } else { + if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) { + Debug( LDAP_DEBUG_ANY, + "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n", + 0, 0, 0); + return -1; + } + if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) { + Debug( LDAP_DEBUG_ANY, + "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n", + 0, 0, 0); + return -1; + } else { + Debug( LDAP_DEBUG_ANY, + "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n", + selected_range.min, selected_range.max, 0); + } + } + } if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) { Debug( LDAP_DEBUG_ANY,