72da77adb6
This is not an enhancement, this is a bugfix.
47 lines
1.6 KiB
Diff
47 lines
1.6 KiB
Diff
Support TLSv1 and later.
|
|
|
|
Author: Mark Reynolds <mreynolds@redhat.com>
|
|
Backported-by: Jan Synacek <jsynacek@redhat.com>
|
|
Upstream ITS: #7979
|
|
Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
|
|
|
|
--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200
|
|
+++ openldap-2.4.40/include/ldap.h 2015-01-27 14:52:42.741364186 +0100
|
|
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
|
|
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
|
|
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
|
|
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
|
|
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
|
|
|
|
/* OpenLDAP SASL options */
|
|
#define LDAP_OPT_X_SASL_MECH 0x6100
|
|
--- openldap-2.4.40/libraries/libldap/tls_m.c 2014-09-19 03:48:49.000000000 +0200
|
|
+++ openldap-2.4.40/libraries/libldap/tls_m.c 2015-01-27 14:57:25.702243542 +0100
|
|
@@ -1639,6 +1639,8 @@ tlsm_deferred_init( void *arg )
|
|
NSSInitContext *initctx = NULL;
|
|
PK11SlotInfo *certdb_slot = NULL;
|
|
#endif
|
|
+ SSLVersionRange range;
|
|
+ SSLProtocolVariant variant;
|
|
SECStatus rc;
|
|
int done = 0;
|
|
|
|
@@ -1823,7 +1825,17 @@ tlsm_deferred_init( void *arg )
|
|
ctx->tc_using_pem = PR_TRUE;
|
|
}
|
|
|
|
+ /*
|
|
+ * Set the SSL version range. MozNSS SSL versions are the same as openldap's:
|
|
+ *
|
|
+ * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
|
|
+ */
|
|
+ SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
|
|
+ range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
|
|
+ variant = ssl_variant_stream;
|
|
+ SSL_VersionRangeSetDefault(variant, &range);
|
|
+
|
|
NSS_SetDomesticPolicy();
|
|
|
|
PK11_SetPasswordFunc( tlsm_pin_prompt );
|
|
|