Support TLSv1 and later. Author: Mark Reynolds Backported-by: Jan Synacek Upstream ITS: #7979 Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00 --- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200 +++ openldap-2.4.40/include/ldap.h 2015-01-27 14:52:42.741364186 +0100 @@ -176,6 +176,7 @@ LDAP_BEGIN_DECL #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1) #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2) #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3) +#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4) /* OpenLDAP SASL options */ #define LDAP_OPT_X_SASL_MECH 0x6100 --- openldap-2.4.40/libraries/libldap/tls_m.c 2014-09-19 03:48:49.000000000 +0200 +++ openldap-2.4.40/libraries/libldap/tls_m.c 2015-01-27 14:57:25.702243542 +0100 @@ -1639,6 +1639,8 @@ tlsm_deferred_init( void *arg ) NSSInitContext *initctx = NULL; PK11SlotInfo *certdb_slot = NULL; #endif + SSLVersionRange range; + SSLProtocolVariant variant; SECStatus rc; int done = 0; @@ -1823,7 +1825,17 @@ tlsm_deferred_init( void *arg ) ctx->tc_using_pem = PR_TRUE; } + /* + * Set the SSL version range. MozNSS SSL versions are the same as openldap's: + * + * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* + */ + SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */ + range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min; + variant = ssl_variant_stream; + SSL_VersionRangeSetDefault(variant, &range); + NSS_SetDomesticPolicy(); PK11_SetPasswordFunc( tlsm_pin_prompt );