ldap/servers
by Noriko Hosoi
ldap/servers/slapd/fedse.c | 2 -
ldap/servers/slapd/ssl.c | 74 +++++++++++++++++++++++++--------------------
2 files changed, 43 insertions(+), 33 deletions(-)
New commits:
commit ad7885eae64a2085a89d516c1106b578142be502
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Nov 13 12:14:48 2014 -0800
Ticket #47928 - Disable SSL v3, by default.
Description:
Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
In dn: cn=encryption,cn=config,
0) Setting no SSL version attrs (using defaults); supported max is TLS1.2
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2
sslVersionMin: TLS1.0
sslVersionMax: TLS1.3
nsSSL3: off
nsTLS1: on
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
2) Setting new SSL version attrs; supported max is TLS1.2
sslVersionMin: TLS1.0
sslVersionMax: TLS1.3
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
3) Setting old/new SSL version attrs; conflict (new min is stricter); supported max is TLS1.2
nsSSL3: on
sslVersionMin: TLS1.0
==>
SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to dis
able nsSSL3 in cn=encryption,cn=config.
SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1
are on. Respect the supported range.
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
4) Setting old/new SSL version attrs; conflict (old min is stricter); supported max is TLS1.2
nsSSL3: off
sslVersionMin: SSL3
sslVersionMax: SSL3
==>
SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring
the version range as default min: TLS1.0, max: TLS1.2.
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
5) Setting old/new SSL version attrs; no conflict; setting SSL3
nsSSL3: on
nsTLS1: off
sslVersionMin: SSL3
sslVersionMax: SSL3
==>
SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable
nsSSL3 in cn=encryption,cn=config.
SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly recommend
to set sslVersionMin higher than TLS1.0.
SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3
https://fedorahosted.org/389/ticket/47928
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!)
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
index 87f45a1..d10fb3e 100644
--- a/ldap/servers/slapd/fedse.c
+++ b/ldap/servers/slapd/fedse.c
@@ -110,7 +110,7 @@ static const char *internal_entries[] =
"cn:encryption\n"
"nsSSLSessionTimeout:0\n"
"nsSSLClientAuth:allowed\n"
- "sslVersionMin:tls1.1\n",
+ "sslVersionMin:TLS1.0\n",
"dn:cn=monitor\n"
"objectclass:top\n"
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 5d6919a..6b51e0c 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -87,13 +87,23 @@
/* TLS1.1 is defined in RFC4346. */
#define NSS_TLS11 1
#else
-/*
- * TLS1.0 is defined in RFC2246.
- * Close to SSL 3.0.
- */
#define NSS_TLS10 1
#endif
+/******************************************************************************
+ * Default SSL Version Rule
+ * Old SSL version attributes:
+ * nsSSL3: off -- nsSSL3 == SSL_LIBRARY_VERSION_3_0
+ * nsTLS1: on -- nsTLS1 == SSL_LIBRARY_VERSION_TLS_1_0 and greater
+ * Note: TLS1.0 is defined in RFC2246, which is close to SSL 3.0.
+ * New SSL version attributes:
+ * sslVersionMin: TLS1.0
+ * sslVersionMax: max ssl version supported by NSS
+ ******************************************************************************/
+
+#define DEFVERSION "TLS1.0"
+#define CURRENT_DEFAULT_SSL_VERSION SSL_LIBRARY_VERSION_TLS_1_0
+
extern char* slapd_SSL3ciphers;
extern symbol_t supported_ciphers[];
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
@@ -253,12 +263,12 @@ static lookup_cipher _lookup_cipher[] = {
PRBool enableSSL2 = PR_FALSE;
/*
* nsSSL3: on -- disable SSLv3 by default.
- * Corresonding to SSL_LIBRARY_VERSION_3_0 and SSL_LIBRARY_VERSION_TLS_1_0
+ * Corresonding to SSL_LIBRARY_VERSION_3_0
*/
PRBool enableSSL3 = PR_FALSE;
/*
* nsTLS1: on -- enable TLS1 by default.
- * Corresonding to SSL_LIBRARY_VERSION_TLS_1_1 and greater.
+ * Corresonding to SSL_LIBRARY_VERSION_TLS_1_0 and greater.
*/
PRBool enableTLS1 = PR_TRUE;
@@ -927,14 +937,14 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Found unsecure configuration: nsSSL3: on; "
"We strongly recommend to disable nsSSL3 in %s.", configDN);
if (enableTLS1) {
- if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
+ if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but both nsSSL3 and nsTLS1 are on. "
"Respect the supported range.",
mymin, mymax);
enableSSL3 = PR_FALSE;
}
- if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
+ if (slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but both nsSSL3 and nsTLS1 are on. "
"Resetting the max to the supported max SSL version: %s.",
@@ -943,7 +953,7 @@ restrict_SSLVersionRange(void)
}
} else {
/* nsTLS1 is explicitly set to off. */
- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
+ if (enabledNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the supported range.",
@@ -951,20 +961,20 @@ restrict_SSLVersionRange(void)
slapdNSSVersions.min = SSLVGreater(slapdNSSVersions.min, enabledNSSVersions.min);
enableSSL3 = PR_FALSE;
enableTLS1 = PR_TRUE;
- } else if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
+ } else if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the configured range.",
mymin, mymax);
enableSSL3 = PR_FALSE;
enableTLS1 = PR_TRUE;
- } else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
+ } else if (slapdNSSVersions.min < CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Too low configured range: min: %s, max: %s; "
- "We strongly recommend to set sslVersionMax higher than %s.",
- mymin, mymax, emax);
+ "We strongly recommend to set sslVersionMin higher than %s.",
+ mymin, mymax, DEFVERSION);
} else {
/*
- * slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&
+ * slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_0 &&
* slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1
*/
slapd_SSL_warn("Configured range: min: %s, max: %s; "
@@ -976,7 +986,7 @@ restrict_SSLVersionRange(void)
}
} else {
if (enableTLS1) {
- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
+ if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
/* TLS1 is on, but TLS1 is not supported by NSS. */
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"Setting the version range based upon the supported range.",
@@ -985,17 +995,17 @@ restrict_SSLVersionRange(void)
slapdNSSVersions.min = enabledNSSVersions.min;
enableSSL3 = PR_TRUE;
enableTLS1 = PR_FALSE;
- } else if ((slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) ||
- (slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_1)) {
+ } else if ((slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) ||
+ (slapdNSSVersions.min < CURRENT_DEFAULT_SSL_VERSION)) {
slapdNSSVersions.max = enabledNSSVersions.max;
- slapdNSSVersions.min = SSLVGreater(SSL_LIBRARY_VERSION_TLS_1_1, enabledNSSVersions.min);
- slapd_SSL_warn("Default SSL Version settings; "
- "Configuring the version range as min: %s, max: %s; ",
- mymin, mymax);
+ slapdNSSVersions.min = SSLVGreater(CURRENT_DEFAULT_SSL_VERSION, enabledNSSVersions.min);
+ slapd_SSL_warn("nsTLS1 is on, but the version range is lower than \"%s\"; "
+ "Configuring the version range as default min: %s, max: %s.",
+ DEFVERSION, DEFVERSION, emax);
} else {
/*
- * slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_1 &&
- * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1
+ * slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_0 &&
+ * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_0
*/
;
}
@@ -1004,14 +1014,14 @@ restrict_SSLVersionRange(void)
"Respect the configured range.",
emin, emax);
/* nsTLS1 is explicitly set to off. */
- if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
+ if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
enableTLS1 = PR_TRUE;
- } else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
+ } else if (slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
enableSSL3 = PR_TRUE;
} else {
/*
- * slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&
- * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1
+ * slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_0 &&
+ * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_0
*/
enableSSL3 = PR_TRUE;
enableTLS1 = PR_TRUE;
@@ -1434,17 +1444,17 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
sscanf(vp, "%4f", &tlsv);
if (tlsv < 1.1) { /* TLS1.0 */
if (ismin) {
- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
+ if (enabledNSSVersions.min > CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
val, emin);
(*rval) = enabledNSSVersions.min;
} else {
- (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
+ (*rval) = CURRENT_DEFAULT_SSL_VERSION;
}
} else {
- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_0) {
+ if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
/* never happens */
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
@@ -1452,7 +1462,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
val, emax);
(*rval) = enabledNSSVersions.max;
} else {
- (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
+ (*rval) = CURRENT_DEFAULT_SSL_VERSION;
}
}
} else if (tlsv < 1.2) { /* TLS1.1 */
@@ -1906,7 +1916,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
} else {
enableTLS1 = slapi_entry_attr_get_bool( e, "nsTLS1" );
}
- } else if (enabledNSSVersions.max > SSL_LIBRARY_VERSION_TLS_1_0) {
+ } else if (enabledNSSVersions.max >= CURRENT_DEFAULT_SSL_VERSION) {
enableTLS1 = PR_TRUE; /* If available, enable TLS1 */
}
slapi_ch_free_string( &val );
9 years, 5 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Mark Reynolds
ldap/servers/plugins/acl/acl.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
New commits:
commit 67a084d288b971fa31c58375d06a521e4776c6ca
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Nov 12 10:15:46 2014 -0500
Ticket 47953 - Should not check aci syntax when deleting an aci
Bug Description: Trying to delete an aci that has an invalid sytenx, generates a
syntax error when trying to remove it.
Fix Description: Do not check the syntax of an aci if it's being deleted.
https://fedorahosted.org/389/ticket/47953
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit 3ce60db0a404b4663df6005b78027332d0e56f95)
Conflicts:
ldap/servers/plugins/acl/acl.c
(cherry picked from commit 234f118efe7867cbbe36ca5c8b13ea7195114a38)
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index d27c0e1..598601b 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -1485,13 +1485,15 @@ acl_check_mods(
/* Are we adding/replacing a aci attribute
** value. In that case, we need to make
- ** sure that the new value has thr right
+ ** sure that the new value has the right
** syntax
*/
- if (strcmp(mod->mod_type,
- aci_attr_type) == 0) {
- if ( 0 != (rv = acl_verify_syntax( e_sdn,
- mod->mod_bvalues[i], errbuf))) {
+
+ if (!SLAPI_IS_MOD_DELETE(mod->mod_op) &&
+ strcmp(mod->mod_type, aci_attr_type) == 0)
+ {
+ if ( 0 != (rv = acl_verify_syntax(e_sdn,
+ mod->mod_bvalues[i], errbuf))) {
aclutil_print_err(rv, e_sdn,
mod->mod_bvalues[i],
errbuf);
9 years, 5 months
Branch '389-ds-base-1.3.1' - ldap/servers
by Mark Reynolds
ldap/servers/plugins/acl/acl.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
New commits:
commit 234f118efe7867cbbe36ca5c8b13ea7195114a38
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Nov 12 10:15:46 2014 -0500
Ticket 47953 - Should not check aci syntax when deleting an aci
Bug Description: Trying to delete an aci that has an invalid sytenx, generates a
syntax error when trying to remove it.
Fix Description: Do not check the syntax of an aci if it's being deleted.
https://fedorahosted.org/389/ticket/47953
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit 3ce60db0a404b4663df6005b78027332d0e56f95)
Conflicts:
ldap/servers/plugins/acl/acl.c
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index 2337e0d..ed78935 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -1490,13 +1490,15 @@ acl_check_mods(
/* Are we adding/replacing a aci attribute
** value. In that case, we need to make
- ** sure that the new value has thr right
+ ** sure that the new value has the right
** syntax
*/
- if (strcmp(mod->mod_type,
- aci_attr_type) == 0) {
- if ( 0 != (rv = acl_verify_syntax( e_sdn,
- mod->mod_bvalues[i], errbuf))) {
+
+ if (!SLAPI_IS_MOD_DELETE(mod->mod_op) &&
+ strcmp(mod->mod_type, aci_attr_type) == 0)
+ {
+ if ( 0 != (rv = acl_verify_syntax(e_sdn,
+ mod->mod_bvalues[i], errbuf))) {
aclutil_print_err(rv, e_sdn,
mod->mod_bvalues[i],
errbuf);
9 years, 5 months
Branch '389-ds-base-1.3.2' - ldap/servers
by Mark Reynolds
ldap/servers/plugins/acl/acl.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
New commits:
commit eb6a2353923e5aa04f5a35116179f8dc42cadd29
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Nov 12 10:15:46 2014 -0500
Ticket 47953 - Should not check aci syntax when deleting an aci
Bug Description: Trying to delete an aci that has an invalid sytenx, generates a
syntax error when trying to remove it.
Fix Description: Do not check the syntax of an aci if it's being deleted.
https://fedorahosted.org/389/ticket/47953
Reviewed by: ?
(cherry picked from commit 3ce60db0a404b4663df6005b78027332d0e56f95)
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index 9da6d95..37299ed 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -1492,11 +1492,12 @@ acl_check_mods(
/* Are we adding/replacing a aci attribute
** value. In that case, we need to make
- ** sure that the new value has thr right
+ ** sure that the new value has the right
** syntax
*/
- if (strcmp(mod->mod_type,
- aci_attr_type) == 0) {
+ if (!SLAPI_IS_MOD_DELETE(mod->mod_op) &&
+ strcmp(mod->mod_type, aci_attr_type) == 0)
+ {
if ( 0 != (rv = acl_verify_syntax(pb, e_sdn,
mod->mod_bvalues[i], errbuf))) {
aclutil_print_err(rv, e_sdn,
9 years, 5 months
Branch '389-ds-base-1.3.3' - ldap/servers
by Mark Reynolds
ldap/servers/plugins/acl/acl.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
New commits:
commit 6a435f1cce137990c9c55f3f571f97c09ad6d9f4
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Nov 12 10:15:46 2014 -0500
Ticket 47953 - Should not check aci syntax when deleting an aci
Bug Description: Trying to delete an aci that has an invalid sytenx, generates a
syntax error when trying to remove it.
Fix Description: Do not check the syntax of an aci if it's being deleted.
https://fedorahosted.org/389/ticket/47953
Reviewed by: ?
(cherry picked from commit 3ce60db0a404b4663df6005b78027332d0e56f95)
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index fe863c8..5416330 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -1553,11 +1553,12 @@ acl_check_mods(
/* Are we adding/replacing a aci attribute
** value. In that case, we need to make
- ** sure that the new value has thr right
+ ** sure that the new value has the right
** syntax
*/
- if (strcmp(mod->mod_type,
- aci_attr_type) == 0) {
+ if (!SLAPI_IS_MOD_DELETE(mod->mod_op) &&
+ strcmp(mod->mod_type, aci_attr_type) == 0)
+ {
if ( 0 != (rv = acl_verify_syntax(pb, e_sdn,
mod->mod_bvalues[i], errbuf))) {
aclutil_print_err(rv, e_sdn,
9 years, 5 months
2 commits - dirsrvtests/data dirsrvtests/tickets ldap/servers
by Mark Reynolds
dirsrvtests/data/ticket47953.ldif | 27 ++++
dirsrvtests/tickets/ticket47953_test.py | 178 ++++++++++++++++++++++++++++++++
ldap/servers/plugins/acl/acl.c | 7 -
3 files changed, 209 insertions(+), 3 deletions(-)
New commits:
commit 6b4ade8cac69d2d903340ec5af4e6b7a93158136
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Nov 12 11:07:52 2014 -0500
Ticket 47953 - testcase for removing invalid aci
https://fedorahosted.org/389/ticket/47953
Reviewed by: rmeggins(Thanks!)
diff --git a/dirsrvtests/data/ticket47953.ldif b/dirsrvtests/data/ticket47953.ldif
new file mode 100644
index 0000000..e59977e
--- /dev/null
+++ b/dirsrvtests/data/ticket47953.ldif
@@ -0,0 +1,27 @@
+dn: dc=example,dc=com
+objectClass: top
+objectClass: domain
+dc: example
+aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";
+ allow (read, search, compare) userdn="ldap:///anyone";)
+aci: (targetattr="carLicense || description || displayName || facsimileTelepho
+ neNumber || homePhone || homePostalAddress || initials || jpegPhoto || labele
+ dURI || mail || mobile || pager || photo || postOfficeBox || postalAddress ||
+ postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddr
+ ess || roomNumber || secretary || seeAlso || st || street || telephoneNumber
+ || telexNumber || title || userCertificate || userPassword || userSMIMECertif
+ icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for commo
+ n attributes"; allow (write) userdn="ldap:///self";)
+aci: (targetattr ="fffff")(version 3.0;acl "Directory Administrators Group";al
+ low (all) (groupdn = "ldap:///cn=Directory Administrators, dc=example,dc=com"
+ );)
+aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
+ llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo
+ logyManagement,o=NetscapeRoot";)
+aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
+ ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc
+ apeRoot";)
+aci: (targetattr = "*")(version 3.0; acl "TEST ACI"; allow (writ
+ e) groupdn = "ldap:///cn=slapd-localhost,cn=389 Directory Server,cn=Server Gr
+ oup,cn=localhost.localdomain,ou=example.com,o=NetscapeRoot";)
+
diff --git a/dirsrvtests/tickets/ticket47953_test.py b/dirsrvtests/tickets/ticket47953_test.py
new file mode 100644
index 0000000..5a1241b
--- /dev/null
+++ b/dirsrvtests/tickets/ticket47953_test.py
@@ -0,0 +1,178 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import socket
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from constants import *
+
+log = logging.getLogger(__name__)
+
+installation_prefix = None
+
+
+class TopologyStandalone(object):
+ def __init__(self, standalone):
+ standalone.open()
+ self.standalone = standalone
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ '''
+ This fixture is used to standalone topology for the 'module'.
+ At the beginning, It may exists a standalone instance.
+ It may also exists a backup for the standalone instance.
+
+ Principle:
+ If standalone instance exists:
+ restart it
+ If backup of standalone exists:
+ create/rebind to standalone
+
+ restore standalone instance from backup
+ else:
+ Cleanup everything
+ remove instance
+ remove backup
+ Create instance
+ Create backup
+ '''
+ global installation_prefix
+
+ if installation_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation_prefix
+
+ standalone = DirSrv(verbose=False)
+
+ # Args for the standalone instance
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+
+ # Get the status of the backups
+ backup_standalone = standalone.checkBackupFS()
+
+ # Get the status of the instance and restart it if it exists
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ # assuming the instance is already stopped, just wait 5 sec max
+ standalone.stop(timeout=5)
+ standalone.start(timeout=10)
+
+ if backup_standalone:
+ # The backup exist, assuming it is correct
+ # we just re-init the instance with it
+ if not instance_standalone:
+ standalone.create()
+ # Used to retrieve configuration information (dbdir, confdir...)
+ standalone.open()
+
+ # restore standalone instance from backup
+ standalone.stop(timeout=10)
+ standalone.restoreFS(backup_standalone)
+ standalone.start(timeout=10)
+
+ else:
+ # We should be here only in two conditions
+ # - This is the first time a test involve standalone instance
+ # - Something weird happened (instance/backup destroyed)
+ # so we discard everything and recreate all
+
+ # Remove the backup. So even if we have a specific backup file
+ # (e.g backup_standalone) we clear backup that an instance may have created
+ if backup_standalone:
+ standalone.clearBackupFS()
+
+ # Remove the instance
+ if instance_standalone:
+ standalone.delete()
+
+ # Create the instance
+ standalone.create()
+
+ # Used to retrieve configuration information (dbdir, confdir...)
+ standalone.open()
+
+ # Time to create the backups
+ standalone.stop(timeout=10)
+ standalone.backupfile = standalone.backupFS()
+ standalone.start(timeout=10)
+
+ # clear the tmp directory
+ standalone.clearTmpDir(__file__)
+
+ #
+ # Here we have standalone instance up and running
+ # Either coming from a backup recovery
+ # or from a fresh (re)init
+ # Time to return the topology
+ return TopologyStandalone(standalone)
+
+
+def test_ticket47953(topology):
+ """
+ Test that we can delete an aci that has an invalid syntax.
+ Sart by importing an ldif with a "bad" aci, then simply try
+ to remove that value without error.
+ """
+
+ log.info('Testing Ticket 47953 - Test we can delete aci that has invalid syntax')
+
+ #
+ # Import an invalid ldif
+ #
+ ldif_file = topology.standalone.getDir(__file__, DATA_DIR) + "ticket47953.ldif"
+ importTask = Tasks(topology.standalone)
+ args = {TASK_WAIT: True}
+ try:
+ importTask.importLDIF(DEFAULT_SUFFIX, None, ldif_file, args)
+ except ValueError:
+ assert False
+
+ #
+ # Delete the invalid aci
+ #
+ acival = '(targetattr ="fffff")(version 3.0;acl "Directory Administrators Group"' + \
+ ';allow (all) (groupdn = "ldap:///cn=Directory Administrators, dc=example,dc=com");)'
+
+ log.info('Attempting to remove invalid aci...')
+ try:
+ topology.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_DELETE, 'aci', acival)])
+ log.info('Removed invalid aci.')
+ except ldap.LDAPError, e:
+ log.error('Failed to remove invalid aci: ' + e.message['desc'])
+ assert False
+
+ # If we got here we passed!
+ log.info('Ticket47953 Test - Passed')
+
+
+def test_ticket47953_final(topology):
+ topology.standalone.stop(timeout=10)
+
+
+def run_isolated():
+ '''
+ run_isolated is used to run these test cases independently of a test scheduler (xunit, py.test..)
+ To run isolated without py.test, you need to
+ - edit this file and comment '@pytest.fixture' line before 'topology' function.
+ - set the installation prefix
+ - run this program
+ '''
+ global installation_prefix
+ installation_prefix = None
+
+ topo = topology(True)
+ test_ticket47953(topo)
+
+if __name__ == '__main__':
+ run_isolated()
\ No newline at end of file
commit 3ce60db0a404b4663df6005b78027332d0e56f95
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Nov 12 10:15:46 2014 -0500
Ticket 47953 - Should not check aci syntax when deleting an aci
Bug Description: Trying to delete an aci that has an invalid sytenx, generates a
syntax error when trying to remove it.
Fix Description: Do not check the syntax of an aci if it's being deleted.
https://fedorahosted.org/389/ticket/47953
Reviewed by: ?
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index fe863c8..5416330 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -1553,11 +1553,12 @@ acl_check_mods(
/* Are we adding/replacing a aci attribute
** value. In that case, we need to make
- ** sure that the new value has thr right
+ ** sure that the new value has the right
** syntax
*/
- if (strcmp(mod->mod_type,
- aci_attr_type) == 0) {
+ if (!SLAPI_IS_MOD_DELETE(mod->mod_op) &&
+ strcmp(mod->mod_type, aci_attr_type) == 0)
+ {
if ( 0 != (rv = acl_verify_syntax(pb, e_sdn,
mod->mod_bvalues[i], errbuf))) {
aclutil_print_err(rv, e_sdn,
9 years, 5 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Noriko Hosoi
ldap/servers/plugins/chainingdb/cb_conn_stateless.c | 1 -
1 file changed, 1 deletion(-)
New commits:
commit 75a6c74e305c91b5c4b40f73afb0187d9e3ffc64
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Nov 10 13:12:48 2014 -0800
Ticket #47948 - ldap_sasl_bind fails assertion (ld != NULL) if it is called from chainingdb_bind over SSL/startTLS
Bug Description: In case startTLS, if ldap_start_tls_s called from
cb_get_connection failed and it returned non LDAP_SUCCESS return
code, the code was stored in the local variable just in the error
case, used only for error logging and abandoned in the scope; the
caller cb_get_connection returned LDAP_SUCCESS even if the connection
was not established. That confuses the caller of cb_get_connection
and let it call ldap_sasl_bind with NULL ld and it causes the assertion
failure.
Fix Description: remove the local variable declaration in the scope.
https://fedorahosted.org/389/ticket/47948
Reviewed by rmeggins(a)redhat.com (Thank you, Rich!!)
(cherry picked from commit 47868d3e5278d425abe5e8325f2965de66c10cff)
(cherry picked from commit cb4f0cb2d120bc899bfb68dfe134ec3a26f3f334)
(cherry picked from commit 96789560a56ae6408addd7b01bfe8c40bb333d81)
diff --git a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
index a85b392..4b323b1 100644
--- a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
+++ b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
@@ -463,7 +463,6 @@ cb_get_connection(cb_conn_pool * pool,
ldap_controls_free(serverctrls);
}
} else if (secure == 2) {
- int rc;
/* the start_tls operation is usually performed in slapi_ldap_bind, but
since we are not binding we still need to start_tls */
if (cb_debug_on()) {
9 years, 5 months
Branch '389-ds-base-1.3.2' - ldap/servers
by Noriko Hosoi
ldap/servers/plugins/chainingdb/cb_conn_stateless.c | 1 -
1 file changed, 1 deletion(-)
New commits:
commit 96789560a56ae6408addd7b01bfe8c40bb333d81
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Nov 10 13:12:48 2014 -0800
Ticket #47948 - ldap_sasl_bind fails assertion (ld != NULL) if it is called from chainingdb_bind over SSL/startTLS
Bug Description: In case startTLS, if ldap_start_tls_s called from
cb_get_connection failed and it returned non LDAP_SUCCESS return
code, the code was stored in the local variable just in the error
case, used only for error logging and abandoned in the scope; the
caller cb_get_connection returned LDAP_SUCCESS even if the connection
was not established. That confuses the caller of cb_get_connection
and let it call ldap_sasl_bind with NULL ld and it causes the assertion
failure.
Fix Description: remove the local variable declaration in the scope.
https://fedorahosted.org/389/ticket/47948
Reviewed by rmeggins(a)redhat.com (Thank you, Rich!!)
(cherry picked from commit 47868d3e5278d425abe5e8325f2965de66c10cff)
(cherry picked from commit cb4f0cb2d120bc899bfb68dfe134ec3a26f3f334)
diff --git a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
index a85b392..4b323b1 100644
--- a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
+++ b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
@@ -463,7 +463,6 @@ cb_get_connection(cb_conn_pool * pool,
ldap_controls_free(serverctrls);
}
} else if (secure == 2) {
- int rc;
/* the start_tls operation is usually performed in slapi_ldap_bind, but
since we are not binding we still need to start_tls */
if (cb_debug_on()) {
9 years, 5 months
Branch '389-ds-base-1.3.3' - 2 commits - ldap/servers
by Noriko Hosoi
ldap/servers/plugins/chainingdb/cb_conn_stateless.c | 1
ldap/servers/slapd/auth.c | 85 +++++---
ldap/servers/slapd/slapi-private.h | 19 +
ldap/servers/slapd/ssl.c | 194 ++++++++++----------
4 files changed, 174 insertions(+), 125 deletions(-)
New commits:
commit cb4f0cb2d120bc899bfb68dfe134ec3a26f3f334
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Nov 10 13:12:48 2014 -0800
Ticket #47948 - ldap_sasl_bind fails assertion (ld != NULL) if it is called from chainingdb_bind over SSL/startTLS
Bug Description: In case startTLS, if ldap_start_tls_s called from
cb_get_connection failed and it returned non LDAP_SUCCESS return
code, the code was stored in the local variable just in the error
case, used only for error logging and abandoned in the scope; the
caller cb_get_connection returned LDAP_SUCCESS even if the connection
was not established. That confuses the caller of cb_get_connection
and let it call ldap_sasl_bind with NULL ld and it causes the assertion
failure.
Fix Description: remove the local variable declaration in the scope.
https://fedorahosted.org/389/ticket/47948
Reviewed by rmeggins(a)redhat.com (Thank you, Rich!!)
(cherry picked from commit 47868d3e5278d425abe5e8325f2965de66c10cff)
diff --git a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
index a85b392..4b323b1 100644
--- a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
+++ b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
@@ -463,7 +463,6 @@ cb_get_connection(cb_conn_pool * pool,
ldap_controls_free(serverctrls);
}
} else if (secure == 2) {
- int rc;
/* the start_tls operation is usually performed in slapi_ldap_bind, but
since we are not binding we still need to start_tls */
if (cb_debug_on()) {
commit 0d1087d0c4dc9b6af3a01776ae11e0977c447fb7
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Nov 10 13:51:34 2014 -0800
Ticket #47945 - Add SSL/TLS version info to the access log
Description: Added the currently used SSL library version info per
connection to the access log.
Sample output:
SSL
[..] conn=3 fd=64 slot=64 SSL connection from ::1 to ::1
[..] conn=3 TLS1.2 128-bit AES-GCM
startTLS
[..] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[..] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[..] conn=4 TLS1.2 128-bit AES-GCM
To convert the SSL version number to string (e.g., SSL_LIBRARY_VERSION_
TLS_1_2 --> "TLS1.2"), instead of maintaining a mapping table, this
patch calculates the number and generates the version string.
https://fedorahosted.org/389/ticket/47945
Reviewed and adviced by rmeggins(a)redhat.com (Thanks a lot, Rich!!)
(cherry picked from commit a2e0de3aa90f04593427628afeb7fe090dac93fb)
diff --git a/ldap/servers/slapd/auth.c b/ldap/servers/slapd/auth.c
index 5b7dc31..0219576 100644
--- a/ldap/servers/slapd/auth.c
+++ b/ldap/servers/slapd/auth.c
@@ -430,9 +430,10 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
int keySize = 0;
char* cipher = NULL;
char* extraErrorMsg = "";
- SSLChannelInfo channelInfo;
- SSLCipherSuiteInfo cipherInfo;
- char* subject = NULL;
+ SSLChannelInfo channelInfo;
+ SSLCipherSuiteInfo cipherInfo;
+ char* subject = NULL;
+ char sslversion[64];
if ( (slapd_ssl_getChannelInfo (prfd, &channelInfo, sizeof(channelInfo))) != SECSuccess ) {
PRErrorCode errorCode = PR_GetError();
@@ -460,38 +461,48 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
* to be enough, close the SSL connection. */
if ( conn->c_flags & CONN_FLAG_START_TLS ) {
if ( cipherInfo.symKeyBits == 0 ) {
- start_tls_graceful_closure( conn, NULL, 1 );
- goto done;
- }
+ start_tls_graceful_closure( conn, NULL, 1 );
+ goto done;
+ }
}
if (config_get_SSLclientAuth() == SLAPD_SSLCLIENTAUTH_OFF ) {
- slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n",
- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL" );
- goto done;
- }
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion));
+ slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL" );
+ goto done;
+ }
if (clientCert == NULL) {
- slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n",
- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL" );
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion));
+ slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL" );
} else {
- subject = subject_of (clientCert);
- if (!subject) {
- slapi_log_access( LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL %i-bit %s; missing subject\n",
- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL");
- goto done;
- }
- {
- char* issuer = issuer_of (clientCert);
- char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ];
- slapi_log_access( LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL %i-bit %s; client %s; issuer %s\n",
- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL",
- subject ? escape_string( subject, sbuf ) : "NULL",
- issuer ? escape_string( issuer, ibuf ) : "NULL");
- if (issuer) free (issuer);
- }
- slapi_dn_normalize (subject);
+ subject = subject_of (clientCert);
+ if (!subject) {
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
+ sslversion, sizeof(sslversion));
+ slapi_log_access( LDAP_DEBUG_STATS,
+ "conn=%" NSPRIu64 " %s %i-bit %s; missing subject\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL");
+ goto done;
+ }
+ {
+ char* issuer = issuer_of (clientCert);
+ char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ];
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
+ sslversion, sizeof(sslversion));
+ slapi_log_access( LDAP_DEBUG_STATS,
+ "conn=%" NSPRIu64 " %s %i-bit %s; client %s; issuer %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL",
+ subject ? escape_string( subject, sbuf ) : "NULL",
+ issuer ? escape_string( issuer, ibuf ) : "NULL");
+ if (issuer) free (issuer);
+ }
+ slapi_dn_normalize (subject);
{
LDAPMessage* chain = NULL;
char *basedn = config_get_basedn();
@@ -525,14 +536,20 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
sdn = slapi_sdn_new_dn_passin(clientDN);
clientDN = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
slapi_sdn_free(&sdn);
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
+ sslversion, sizeof(sslversion));
slapi_log_access (LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL client bound as %s\n",
- (long long unsigned int)conn->c_connid, clientDN);
+ "conn=%" NSPRIu64 " %s client bound as %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, clientDN);
} else if (clientCert != NULL) {
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
+ sslversion, sizeof(sslversion));
slapi_log_access (LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL failed to map client "
+ "conn=%" NSPRIu64 " %s failed to map client "
"certificate to LDAP DN (%s)\n",
- (long long unsigned int)conn->c_connid, extraErrorMsg );
+ (long long unsigned int)conn->c_connid,
+ sslversion, extraErrorMsg);
}
/*
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index a8d7738..921c397 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -1336,6 +1336,25 @@ void add_internal_modifiersname(Slapi_PBlock *pb, Slapi_Entry *e);
/* ldaputil.c */
char *ldaputil_get_saslpath();
+/* ssl.c */
+/*
+ * If non NULL buf and positive bufsize is given,
+ * the memory is used to store the version string.
+ * Otherwise, the memory for the string is allocated.
+ * The latter case, caller is responsible to free it.
+ */
+/* vnum is supposed to be in one of the following:
+ * nss3/sslproto.h
+ * #define SSL_LIBRARY_VERSION_2 0x0002
+ * #define SSL_LIBRARY_VERSION_3_0 0x0300
+ * #define SSL_LIBRARY_VERSION_TLS_1_0 0x0301
+ * #define SSL_LIBRARY_VERSION_TLS_1_1 0x0302
+ * #define SSL_LIBRARY_VERSION_TLS_1_2 0x0303
+ * #define SSL_LIBRARY_VERSION_TLS_1_3 0x0304
+ * ...
+ */
+char *slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize);
+
#ifdef __cplusplus
}
#endif
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index f81d1fb..5d6919a 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -99,7 +99,6 @@ extern symbol_t supported_ciphers[];
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
static SSLVersionRange enabledNSSVersions;
static SSLVersionRange slapdNSSVersions;
-static char *getNSSVersion_str(PRUint16 vnum);
#endif
/* dongle_file_name is set in slapd_nss_init when we set the path for the
@@ -246,6 +245,9 @@ static lookup_cipher _lookup_cipher[] = {
{NULL, NULL}
};
+/* E.g., "SSL3", "TLS1.2", "Unknown SSL version: 0x0" */
+#define VERSION_STR_LENGTH 64
+
/* Supported SSL versions */
/* nsSSL2: on -- we don't allow this any more. */
PRBool enableSSL2 = PR_FALSE;
@@ -418,8 +420,8 @@ getSSLVersionRange(char **min, char **max)
#if defined(NSS_TLS10)
return -1; /* not supported */
#else /* NSS_TLS11 or newer */
- *min = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.min));
- *max = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.max));
+ *min = slapi_getSSLVersion_str(slapdNSSVersions.min, NULL, 0);
+ *max = slapi_getSSLVersion_str(slapdNSSVersions.max, NULL, 0);
return 0;
#endif
}
@@ -854,34 +856,48 @@ warn_if_no_key_file(const char *dir, int no_log)
}
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
-typedef struct _nss_version_list {
- PRUint16 vnum;
- char* vname;
-} NSSVersion_list;
-NSSVersion_list _NSSVersion_list[] =
-{
- {SSL_LIBRARY_VERSION_2, "SSL2"},
- {SSL_LIBRARY_VERSION_3_0, "SSL3"},
- {SSL_LIBRARY_VERSION_TLS_1_0, "TLS1.0"},
- {SSL_LIBRARY_VERSION_TLS_1_1, "TLS1.1"},
-#if defined(NSS_TLS12)
- {SSL_LIBRARY_VERSION_TLS_1_2, "TLS1.2"},
-#endif
- {0, "unknown"}
-};
-
-static char *
-getNSSVersion_str(PRUint16 vnum)
+/*
+ * If non NULL buf and positive bufsize is given,
+ * the memory is used to store the version string.
+ * Otherwise, the memory for the string is allocated.
+ * The latter case, caller is responsible to free it.
+ */
+char *
+slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize)
{
- NSSVersion_list *nvlp = NULL;
- char *vstr = "none";
- if (vnum) {
- for (nvlp = _NSSVersion_list; nvlp && nvlp->vnum; nvlp++) {
- if (nvlp->vnum == vnum) {
- vstr = nvlp->vname;
- break;
+ char *vstr = buf;
+ if (vnum >= SSL_LIBRARY_VERSION_3_0) {
+ if (vnum == SSL_LIBRARY_VERSION_3_0) { /* SSL3 */
+ if (buf && bufsize) {
+ PR_snprintf(buf, bufsize, "SSL3");
+ } else {
+ vstr = slapi_ch_smprintf("SSL3");
+ }
+ } else { /* TLS v X.Y */
+ const char *TLSFMT = "TLS%d.%d";
+ int minor_offset = 0; /* e.g. 0x0401 -> TLS v 2.1, not 2.0 */
+
+ if ((vnum & SSL_LIBRARY_VERSION_3_0) == SSL_LIBRARY_VERSION_3_0) {
+ minor_offset = 1; /* e.g. 0x0301 -> TLS v 1.0, not 1.1 */
+ }
+ if (buf && bufsize) {
+ PR_snprintf(buf, bufsize, TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset);
+ } else {
+ vstr = slapi_ch_smprintf(TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset);
}
}
+ } else if (vnum == SSL_LIBRARY_VERSION_2) { /* SSL2 */
+ if (buf && bufsize) {
+ PR_snprintf(buf, bufsize, "SSL2");
+ } else {
+ vstr = slapi_ch_smprintf("SSL2");
+ }
+ } else {
+ if (buf && bufsize) {
+ PR_snprintf(buf, bufsize, "Unknown SSL version: 0x%x", vnum);
+ } else {
+ vstr = slapi_ch_smprintf("Unknown SSL version: 0x%x", vnum);
+ }
}
return vstr;
}
@@ -895,12 +911,16 @@ getNSSVersion_str(PRUint16 vnum)
static void
restrict_SSLVersionRange(void)
{
+ char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
+ (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
+ (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
if (slapdNSSVersions.min > slapdNSSVersions.max) {
slapd_SSL_warn("Invalid configured SSL range: min: %s, max: %s; "
"Resetting the max to the supported max SSL version: %s.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max),
- getNSSVersion_str(enabledNSSVersions.max));
+ mymin, mymax, emax);
slapdNSSVersions.max = enabledNSSVersions.max;
}
if (enableSSL3) {
@@ -911,17 +931,14 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but both nsSSL3 and nsTLS1 are on. "
"Respect the supported range.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
enableSSL3 = PR_FALSE;
}
if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but both nsSSL3 and nsTLS1 are on. "
"Resetting the max to the supported max SSL version: %s.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max),
- getNSSVersion_str(enabledNSSVersions.max));
+ mymin, mymax, emax);
slapdNSSVersions.max = enabledNSSVersions.max;
}
} else {
@@ -930,8 +947,7 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the supported range.",
- getNSSVersion_str(enabledNSSVersions.min),
- getNSSVersion_str(enabledNSSVersions.max));
+ emin, emax);
slapdNSSVersions.min = SSLVGreater(slapdNSSVersions.min, enabledNSSVersions.min);
enableSSL3 = PR_FALSE;
enableTLS1 = PR_TRUE;
@@ -939,19 +955,13 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the configured range.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
enableSSL3 = PR_FALSE;
enableTLS1 = PR_TRUE;
} else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
slapd_SSL_warn("Too low configured range: min: %s, max: %s; "
- "Resetting the range to: min: %s, max: %s.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max),
- getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0),
- getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0));
- slapdNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
- slapdNSSVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
+ "We strongly recommend to set sslVersionMax higher than %s.",
+ mymin, mymax, emax);
} else {
/*
* slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&
@@ -960,8 +970,7 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the configured range.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
enableTLS1 = PR_TRUE;
}
}
@@ -971,8 +980,7 @@ restrict_SSLVersionRange(void)
/* TLS1 is on, but TLS1 is not supported by NSS. */
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"Setting the version range based upon the supported range.",
- getNSSVersion_str(enabledNSSVersions.min),
- getNSSVersion_str(enabledNSSVersions.max));
+ emin, emax);
slapdNSSVersions.max = enabledNSSVersions.max;
slapdNSSVersions.min = enabledNSSVersions.min;
enableSSL3 = PR_TRUE;
@@ -983,8 +991,7 @@ restrict_SSLVersionRange(void)
slapdNSSVersions.min = SSLVGreater(SSL_LIBRARY_VERSION_TLS_1_1, enabledNSSVersions.min);
slapd_SSL_warn("Default SSL Version settings; "
"Configuring the version range as min: %s, max: %s; ",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
} else {
/*
* slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_1 &&
@@ -995,8 +1002,7 @@ restrict_SSLVersionRange(void)
} else {
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"Respect the configured range.",
- getNSSVersion_str(enabledNSSVersions.min),
- getNSSVersion_str(enabledNSSVersions.max));
+ emin, emax);
/* nsTLS1 is explicitly set to off. */
if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
enableTLS1 = PR_TRUE;
@@ -1040,13 +1046,15 @@ slapd_nss_init(int init_ssl, int config_available)
char *keydb_file_name = NULL;
char *secmoddb_file_name = NULL;
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
/* Get the range of the supported SSL version */
SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization",
"supported range by NSS: min: %s, max: %s\n",
- getNSSVersion_str(enabledNSSVersions.min),
- getNSSVersion_str(enabledNSSVersions.max));
+ emin, emax);
#endif
/* set in slapd_bootstrap_config,
@@ -1351,34 +1359,37 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
{
char *vp, *endp;
int vnum;
+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
if (NULL == rval) {
return 1;
}
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
if (!strncasecmp(val, SSLSTR, SSLLEN)) { /* ssl# */
vp = val + SSLLEN;
vnum = strtol(vp, &endp, 10);
if (2 == vnum) {
if (ismin) {
if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_2) {
- slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
- "\"%s\" is lower than the supported version; "
- "the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
- (*rval) = enabledNSSVersions.min;
+ slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
+ "\"%s\" is lower than the supported version; "
+ "the default value \"%s\" is used.",
+ val, emin);
+ (*rval) = enabledNSSVersions.min;
} else {
- (*rval) = SSL_LIBRARY_VERSION_2;
+ (*rval) = SSL_LIBRARY_VERSION_2;
}
} else {
if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_2) {
/* never happens */
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
- "\"%s\" is higher than the supported version; "
- "the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
- (*rval) = enabledNSSVersions.max;
+ "\"%s\" is higher than the supported version; "
+ "the default value \"%s\" is used.",
+ val, emax);
+ (*rval) = enabledNSSVersions.max;
} else {
- (*rval) = SSL_LIBRARY_VERSION_2;
+ (*rval) = SSL_LIBRARY_VERSION_2;
}
}
} else if (3 == vnum) {
@@ -1387,7 +1398,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
(*rval) = SSL_LIBRARY_VERSION_3_0;
@@ -1398,7 +1409,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
} else {
(*rval) = SSL_LIBRARY_VERSION_3_0;
@@ -1408,12 +1419,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
if (ismin) {
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is invalid; the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is invalid; the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
}
}
@@ -1427,7 +1438,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
@@ -1438,7 +1449,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
@@ -1450,7 +1461,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_1;
@@ -1461,7 +1472,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_1;
@@ -1474,7 +1485,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
@@ -1485,7 +1496,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
@@ -1497,13 +1508,13 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is out of the range of the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is out of the range of the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emax);
(*rval) = enabledNSSVersions.max;
}
}
@@ -1511,12 +1522,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
if (ismin) {
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is invalid; the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is invalid; the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emax);
(*rval) = enabledNSSVersions.max;
}
}
@@ -1549,6 +1560,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
PRUint16 NSSVersionMin = enabledNSSVersions.min;
PRUint16 NSSVersionMax = enabledNSSVersions.max;
+ char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
+ char newmax[VERSION_STR_LENGTH];
#endif
char cipher_string[1024];
int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
@@ -1909,12 +1922,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
}
slapi_ch_free_string( &val );
if (NSSVersionMin > NSSVersionMax) {
+ (void) slapi_getSSLVersion_str(NSSVersionMin, mymin, sizeof(mymin));
+ (void) slapi_getSSLVersion_str(NSSVersionMax, mymax, sizeof(mymax));
slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\".",
- getNSSVersion_str(NSSVersionMin),
- getNSSVersion_str(NSSVersionMax));
+ mymin, mymax);
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, newmax, sizeof(newmax));
slapd_SSL_warn("Reset the max \"%s\" to supported max \"%s\".",
- getNSSVersion_str(NSSVersionMax),
- getNSSVersion_str(enabledNSSVersions.max));
+ mymax, newmax);
NSSVersionMax = enabledNSSVersions.max;
}
#endif
@@ -1925,18 +1939,18 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
slapdNSSVersions.min = NSSVersionMin;
slapdNSSVersions.max = NSSVersionMax;
restrict_SSLVersionRange();
+ (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
+ (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
"Configured SSL version range: min: %s, max: %s\n",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);
if (sslStatus == SECSuccess) {
/* Set the restricted value to the cn=encryption entry */
} else {
slapd_SSL_error("SSL Initialization 2: "
"Failed to set SSL range: min: %s, max: %s\n",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
}
} else {
#endif
9 years, 5 months
2 commits - ldap/servers
by Noriko Hosoi
ldap/servers/plugins/chainingdb/cb_conn_stateless.c | 1
ldap/servers/slapd/auth.c | 85 +++++---
ldap/servers/slapd/slapi-private.h | 19 +
ldap/servers/slapd/ssl.c | 194 ++++++++++----------
4 files changed, 174 insertions(+), 125 deletions(-)
New commits:
commit 47868d3e5278d425abe5e8325f2965de66c10cff
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Nov 10 13:12:48 2014 -0800
Ticket #47948 - ldap_sasl_bind fails assertion (ld != NULL) if it is called from chainingdb_bind over SSL/startTLS
Bug Description: In case startTLS, if ldap_start_tls_s called from
cb_get_connection failed and it returned non LDAP_SUCCESS return
code, the code was stored in the local variable just in the error
case, used only for error logging and abandoned in the scope; the
caller cb_get_connection returned LDAP_SUCCESS even if the connection
was not established. That confuses the caller of cb_get_connection
and let it call ldap_sasl_bind with NULL ld and it causes the assertion
failure.
Fix Description: remove the local variable declaration in the scope.
https://fedorahosted.org/389/ticket/47948
Reviewed by rmeggins(a)redhat.com (Thank you, Rich!!)
diff --git a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
index a85b392..4b323b1 100644
--- a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
+++ b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
@@ -463,7 +463,6 @@ cb_get_connection(cb_conn_pool * pool,
ldap_controls_free(serverctrls);
}
} else if (secure == 2) {
- int rc;
/* the start_tls operation is usually performed in slapi_ldap_bind, but
since we are not binding we still need to start_tls */
if (cb_debug_on()) {
commit a2e0de3aa90f04593427628afeb7fe090dac93fb
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Nov 10 13:51:34 2014 -0800
Ticket #47945 - Add SSL/TLS version info to the access log
Description: Added the currently used SSL library version info per
connection to the access log.
Sample output:
SSL
[..] conn=3 fd=64 slot=64 SSL connection from ::1 to ::1
[..] conn=3 TLS1.2 128-bit AES-GCM
startTLS
[..] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[..] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[..] conn=4 TLS1.2 128-bit AES-GCM
To convert the SSL version number to string (e.g., SSL_LIBRARY_VERSION_
TLS_1_2 --> "TLS1.2"), instead of maintaining a mapping table, this
patch calculates the number and generates the version string.
https://fedorahosted.org/389/ticket/47945
Reviewed and adviced by rmeggins(a)redhat.com (Thanks a lot, Rich!!)
diff --git a/ldap/servers/slapd/auth.c b/ldap/servers/slapd/auth.c
index 5b7dc31..0219576 100644
--- a/ldap/servers/slapd/auth.c
+++ b/ldap/servers/slapd/auth.c
@@ -430,9 +430,10 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
int keySize = 0;
char* cipher = NULL;
char* extraErrorMsg = "";
- SSLChannelInfo channelInfo;
- SSLCipherSuiteInfo cipherInfo;
- char* subject = NULL;
+ SSLChannelInfo channelInfo;
+ SSLCipherSuiteInfo cipherInfo;
+ char* subject = NULL;
+ char sslversion[64];
if ( (slapd_ssl_getChannelInfo (prfd, &channelInfo, sizeof(channelInfo))) != SECSuccess ) {
PRErrorCode errorCode = PR_GetError();
@@ -460,38 +461,48 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
* to be enough, close the SSL connection. */
if ( conn->c_flags & CONN_FLAG_START_TLS ) {
if ( cipherInfo.symKeyBits == 0 ) {
- start_tls_graceful_closure( conn, NULL, 1 );
- goto done;
- }
+ start_tls_graceful_closure( conn, NULL, 1 );
+ goto done;
+ }
}
if (config_get_SSLclientAuth() == SLAPD_SSLCLIENTAUTH_OFF ) {
- slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n",
- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL" );
- goto done;
- }
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion));
+ slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL" );
+ goto done;
+ }
if (clientCert == NULL) {
- slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n",
- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL" );
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion));
+ slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL" );
} else {
- subject = subject_of (clientCert);
- if (!subject) {
- slapi_log_access( LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL %i-bit %s; missing subject\n",
- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL");
- goto done;
- }
- {
- char* issuer = issuer_of (clientCert);
- char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ];
- slapi_log_access( LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL %i-bit %s; client %s; issuer %s\n",
- (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL",
- subject ? escape_string( subject, sbuf ) : "NULL",
- issuer ? escape_string( issuer, ibuf ) : "NULL");
- if (issuer) free (issuer);
- }
- slapi_dn_normalize (subject);
+ subject = subject_of (clientCert);
+ if (!subject) {
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
+ sslversion, sizeof(sslversion));
+ slapi_log_access( LDAP_DEBUG_STATS,
+ "conn=%" NSPRIu64 " %s %i-bit %s; missing subject\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL");
+ goto done;
+ }
+ {
+ char* issuer = issuer_of (clientCert);
+ char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ];
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
+ sslversion, sizeof(sslversion));
+ slapi_log_access( LDAP_DEBUG_STATS,
+ "conn=%" NSPRIu64 " %s %i-bit %s; client %s; issuer %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL",
+ subject ? escape_string( subject, sbuf ) : "NULL",
+ issuer ? escape_string( issuer, ibuf ) : "NULL");
+ if (issuer) free (issuer);
+ }
+ slapi_dn_normalize (subject);
{
LDAPMessage* chain = NULL;
char *basedn = config_get_basedn();
@@ -525,14 +536,20 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
sdn = slapi_sdn_new_dn_passin(clientDN);
clientDN = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
slapi_sdn_free(&sdn);
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
+ sslversion, sizeof(sslversion));
slapi_log_access (LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL client bound as %s\n",
- (long long unsigned int)conn->c_connid, clientDN);
+ "conn=%" NSPRIu64 " %s client bound as %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, clientDN);
} else if (clientCert != NULL) {
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion,
+ sslversion, sizeof(sslversion));
slapi_log_access (LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL failed to map client "
+ "conn=%" NSPRIu64 " %s failed to map client "
"certificate to LDAP DN (%s)\n",
- (long long unsigned int)conn->c_connid, extraErrorMsg );
+ (long long unsigned int)conn->c_connid,
+ sslversion, extraErrorMsg);
}
/*
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index a8d7738..921c397 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -1336,6 +1336,25 @@ void add_internal_modifiersname(Slapi_PBlock *pb, Slapi_Entry *e);
/* ldaputil.c */
char *ldaputil_get_saslpath();
+/* ssl.c */
+/*
+ * If non NULL buf and positive bufsize is given,
+ * the memory is used to store the version string.
+ * Otherwise, the memory for the string is allocated.
+ * The latter case, caller is responsible to free it.
+ */
+/* vnum is supposed to be in one of the following:
+ * nss3/sslproto.h
+ * #define SSL_LIBRARY_VERSION_2 0x0002
+ * #define SSL_LIBRARY_VERSION_3_0 0x0300
+ * #define SSL_LIBRARY_VERSION_TLS_1_0 0x0301
+ * #define SSL_LIBRARY_VERSION_TLS_1_1 0x0302
+ * #define SSL_LIBRARY_VERSION_TLS_1_2 0x0303
+ * #define SSL_LIBRARY_VERSION_TLS_1_3 0x0304
+ * ...
+ */
+char *slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize);
+
#ifdef __cplusplus
}
#endif
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index f81d1fb..5d6919a 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -99,7 +99,6 @@ extern symbol_t supported_ciphers[];
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
static SSLVersionRange enabledNSSVersions;
static SSLVersionRange slapdNSSVersions;
-static char *getNSSVersion_str(PRUint16 vnum);
#endif
/* dongle_file_name is set in slapd_nss_init when we set the path for the
@@ -246,6 +245,9 @@ static lookup_cipher _lookup_cipher[] = {
{NULL, NULL}
};
+/* E.g., "SSL3", "TLS1.2", "Unknown SSL version: 0x0" */
+#define VERSION_STR_LENGTH 64
+
/* Supported SSL versions */
/* nsSSL2: on -- we don't allow this any more. */
PRBool enableSSL2 = PR_FALSE;
@@ -418,8 +420,8 @@ getSSLVersionRange(char **min, char **max)
#if defined(NSS_TLS10)
return -1; /* not supported */
#else /* NSS_TLS11 or newer */
- *min = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.min));
- *max = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.max));
+ *min = slapi_getSSLVersion_str(slapdNSSVersions.min, NULL, 0);
+ *max = slapi_getSSLVersion_str(slapdNSSVersions.max, NULL, 0);
return 0;
#endif
}
@@ -854,34 +856,48 @@ warn_if_no_key_file(const char *dir, int no_log)
}
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
-typedef struct _nss_version_list {
- PRUint16 vnum;
- char* vname;
-} NSSVersion_list;
-NSSVersion_list _NSSVersion_list[] =
-{
- {SSL_LIBRARY_VERSION_2, "SSL2"},
- {SSL_LIBRARY_VERSION_3_0, "SSL3"},
- {SSL_LIBRARY_VERSION_TLS_1_0, "TLS1.0"},
- {SSL_LIBRARY_VERSION_TLS_1_1, "TLS1.1"},
-#if defined(NSS_TLS12)
- {SSL_LIBRARY_VERSION_TLS_1_2, "TLS1.2"},
-#endif
- {0, "unknown"}
-};
-
-static char *
-getNSSVersion_str(PRUint16 vnum)
+/*
+ * If non NULL buf and positive bufsize is given,
+ * the memory is used to store the version string.
+ * Otherwise, the memory for the string is allocated.
+ * The latter case, caller is responsible to free it.
+ */
+char *
+slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize)
{
- NSSVersion_list *nvlp = NULL;
- char *vstr = "none";
- if (vnum) {
- for (nvlp = _NSSVersion_list; nvlp && nvlp->vnum; nvlp++) {
- if (nvlp->vnum == vnum) {
- vstr = nvlp->vname;
- break;
+ char *vstr = buf;
+ if (vnum >= SSL_LIBRARY_VERSION_3_0) {
+ if (vnum == SSL_LIBRARY_VERSION_3_0) { /* SSL3 */
+ if (buf && bufsize) {
+ PR_snprintf(buf, bufsize, "SSL3");
+ } else {
+ vstr = slapi_ch_smprintf("SSL3");
+ }
+ } else { /* TLS v X.Y */
+ const char *TLSFMT = "TLS%d.%d";
+ int minor_offset = 0; /* e.g. 0x0401 -> TLS v 2.1, not 2.0 */
+
+ if ((vnum & SSL_LIBRARY_VERSION_3_0) == SSL_LIBRARY_VERSION_3_0) {
+ minor_offset = 1; /* e.g. 0x0301 -> TLS v 1.0, not 1.1 */
+ }
+ if (buf && bufsize) {
+ PR_snprintf(buf, bufsize, TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset);
+ } else {
+ vstr = slapi_ch_smprintf(TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset);
}
}
+ } else if (vnum == SSL_LIBRARY_VERSION_2) { /* SSL2 */
+ if (buf && bufsize) {
+ PR_snprintf(buf, bufsize, "SSL2");
+ } else {
+ vstr = slapi_ch_smprintf("SSL2");
+ }
+ } else {
+ if (buf && bufsize) {
+ PR_snprintf(buf, bufsize, "Unknown SSL version: 0x%x", vnum);
+ } else {
+ vstr = slapi_ch_smprintf("Unknown SSL version: 0x%x", vnum);
+ }
}
return vstr;
}
@@ -895,12 +911,16 @@ getNSSVersion_str(PRUint16 vnum)
static void
restrict_SSLVersionRange(void)
{
+ char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
+ (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
+ (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
if (slapdNSSVersions.min > slapdNSSVersions.max) {
slapd_SSL_warn("Invalid configured SSL range: min: %s, max: %s; "
"Resetting the max to the supported max SSL version: %s.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max),
- getNSSVersion_str(enabledNSSVersions.max));
+ mymin, mymax, emax);
slapdNSSVersions.max = enabledNSSVersions.max;
}
if (enableSSL3) {
@@ -911,17 +931,14 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but both nsSSL3 and nsTLS1 are on. "
"Respect the supported range.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
enableSSL3 = PR_FALSE;
}
if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but both nsSSL3 and nsTLS1 are on. "
"Resetting the max to the supported max SSL version: %s.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max),
- getNSSVersion_str(enabledNSSVersions.max));
+ mymin, mymax, emax);
slapdNSSVersions.max = enabledNSSVersions.max;
}
} else {
@@ -930,8 +947,7 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the supported range.",
- getNSSVersion_str(enabledNSSVersions.min),
- getNSSVersion_str(enabledNSSVersions.max));
+ emin, emax);
slapdNSSVersions.min = SSLVGreater(slapdNSSVersions.min, enabledNSSVersions.min);
enableSSL3 = PR_FALSE;
enableTLS1 = PR_TRUE;
@@ -939,19 +955,13 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the configured range.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
enableSSL3 = PR_FALSE;
enableTLS1 = PR_TRUE;
} else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
slapd_SSL_warn("Too low configured range: min: %s, max: %s; "
- "Resetting the range to: min: %s, max: %s.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max),
- getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0),
- getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0));
- slapdNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_0;
- slapdNSSVersions.max = SSL_LIBRARY_VERSION_TLS_1_0;
+ "We strongly recommend to set sslVersionMax higher than %s.",
+ mymin, mymax, emax);
} else {
/*
* slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&
@@ -960,8 +970,7 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the configured range.",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
enableTLS1 = PR_TRUE;
}
}
@@ -971,8 +980,7 @@ restrict_SSLVersionRange(void)
/* TLS1 is on, but TLS1 is not supported by NSS. */
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"Setting the version range based upon the supported range.",
- getNSSVersion_str(enabledNSSVersions.min),
- getNSSVersion_str(enabledNSSVersions.max));
+ emin, emax);
slapdNSSVersions.max = enabledNSSVersions.max;
slapdNSSVersions.min = enabledNSSVersions.min;
enableSSL3 = PR_TRUE;
@@ -983,8 +991,7 @@ restrict_SSLVersionRange(void)
slapdNSSVersions.min = SSLVGreater(SSL_LIBRARY_VERSION_TLS_1_1, enabledNSSVersions.min);
slapd_SSL_warn("Default SSL Version settings; "
"Configuring the version range as min: %s, max: %s; ",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
} else {
/*
* slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_1 &&
@@ -995,8 +1002,7 @@ restrict_SSLVersionRange(void)
} else {
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"Respect the configured range.",
- getNSSVersion_str(enabledNSSVersions.min),
- getNSSVersion_str(enabledNSSVersions.max));
+ emin, emax);
/* nsTLS1 is explicitly set to off. */
if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
enableTLS1 = PR_TRUE;
@@ -1040,13 +1046,15 @@ slapd_nss_init(int init_ssl, int config_available)
char *keydb_file_name = NULL;
char *secmoddb_file_name = NULL;
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
/* Get the range of the supported SSL version */
SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization",
"supported range by NSS: min: %s, max: %s\n",
- getNSSVersion_str(enabledNSSVersions.min),
- getNSSVersion_str(enabledNSSVersions.max));
+ emin, emax);
#endif
/* set in slapd_bootstrap_config,
@@ -1351,34 +1359,37 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
{
char *vp, *endp;
int vnum;
+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
if (NULL == rval) {
return 1;
}
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
if (!strncasecmp(val, SSLSTR, SSLLEN)) { /* ssl# */
vp = val + SSLLEN;
vnum = strtol(vp, &endp, 10);
if (2 == vnum) {
if (ismin) {
if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_2) {
- slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
- "\"%s\" is lower than the supported version; "
- "the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
- (*rval) = enabledNSSVersions.min;
+ slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
+ "\"%s\" is lower than the supported version; "
+ "the default value \"%s\" is used.",
+ val, emin);
+ (*rval) = enabledNSSVersions.min;
} else {
- (*rval) = SSL_LIBRARY_VERSION_2;
+ (*rval) = SSL_LIBRARY_VERSION_2;
}
} else {
if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_2) {
/* never happens */
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
- "\"%s\" is higher than the supported version; "
- "the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
- (*rval) = enabledNSSVersions.max;
+ "\"%s\" is higher than the supported version; "
+ "the default value \"%s\" is used.",
+ val, emax);
+ (*rval) = enabledNSSVersions.max;
} else {
- (*rval) = SSL_LIBRARY_VERSION_2;
+ (*rval) = SSL_LIBRARY_VERSION_2;
}
}
} else if (3 == vnum) {
@@ -1387,7 +1398,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
(*rval) = SSL_LIBRARY_VERSION_3_0;
@@ -1398,7 +1409,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
} else {
(*rval) = SSL_LIBRARY_VERSION_3_0;
@@ -1408,12 +1419,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
if (ismin) {
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is invalid; the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is invalid; the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
}
}
@@ -1427,7 +1438,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
@@ -1438,7 +1449,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
@@ -1450,7 +1461,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_1;
@@ -1461,7 +1472,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_1;
@@ -1474,7 +1485,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
@@ -1485,7 +1496,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.max));
+ val, emax);
(*rval) = enabledNSSVersions.max;
} else {
(*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
@@ -1497,13 +1508,13 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is out of the range of the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is out of the range of the supported version; "
"the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emax);
(*rval) = enabledNSSVersions.max;
}
}
@@ -1511,12 +1522,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
if (ismin) {
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is invalid; the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emin);
(*rval) = enabledNSSVersions.min;
} else {
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is invalid; the default value \"%s\" is used.",
- val, getNSSVersion_str(enabledNSSVersions.min));
+ val, emax);
(*rval) = enabledNSSVersions.max;
}
}
@@ -1549,6 +1560,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
PRUint16 NSSVersionMin = enabledNSSVersions.min;
PRUint16 NSSVersionMax = enabledNSSVersions.max;
+ char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
+ char newmax[VERSION_STR_LENGTH];
#endif
char cipher_string[1024];
int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
@@ -1909,12 +1922,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
}
slapi_ch_free_string( &val );
if (NSSVersionMin > NSSVersionMax) {
+ (void) slapi_getSSLVersion_str(NSSVersionMin, mymin, sizeof(mymin));
+ (void) slapi_getSSLVersion_str(NSSVersionMax, mymax, sizeof(mymax));
slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\".",
- getNSSVersion_str(NSSVersionMin),
- getNSSVersion_str(NSSVersionMax));
+ mymin, mymax);
+ (void) slapi_getSSLVersion_str(enabledNSSVersions.max, newmax, sizeof(newmax));
slapd_SSL_warn("Reset the max \"%s\" to supported max \"%s\".",
- getNSSVersion_str(NSSVersionMax),
- getNSSVersion_str(enabledNSSVersions.max));
+ mymax, newmax);
NSSVersionMax = enabledNSSVersions.max;
}
#endif
@@ -1925,18 +1939,18 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
slapdNSSVersions.min = NSSVersionMin;
slapdNSSVersions.max = NSSVersionMax;
restrict_SSLVersionRange();
+ (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
+ (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
"Configured SSL version range: min: %s, max: %s\n",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);
if (sslStatus == SECSuccess) {
/* Set the restricted value to the cn=encryption entry */
} else {
slapd_SSL_error("SSL Initialization 2: "
"Failed to set SSL range: min: %s, max: %s\n",
- getNSSVersion_str(slapdNSSVersions.min),
- getNSSVersion_str(slapdNSSVersions.max));
+ mymin, mymax);
}
} else {
#endif
9 years, 5 months