include/libadminutil/admutil.h | 6 ++++
lib/libadminutil/admutil.c | 50 +++++++++++++++++++++++++++++++++++++++++
lib/libadmsslutil/admsslutil.c | 7 +++++
3 files changed, 63 insertions(+)
New commits:
commit 4896a04a1d510116afc346bff2c0c3e67a0348d8
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Oct 29 14:26:25 2014 -0400
Ticket 47929 - Adminutil - do not use SSL3 by default
Bug Description: SSLv3 is no longer safe to use
Fix Description: Set the min and max range to use tls 1.1 and up by default.
Also allow the mix/max ssl versions to be customized.
https://fedorahosted.org/389/ticket/47462
Reviewed by: nhosoi(Thanks!)
diff --git a/include/libadminutil/admutil.h b/include/libadminutil/admutil.h
index 70cde0d..98189e7 100644
--- a/include/libadminutil/admutil.h
+++ b/include/libadminutil/admutil.h
@@ -150,6 +150,12 @@ admldapBuildInfo(char* configRoot, int *errorcode);
PR_IMPLEMENT(void)
destroyAdmldap(AdmldapInfo info);
+PR_IMPLEMENT(int)
+admldapGetSSLMin(AdmldapInfo info);
+
+PR_IMPLEMENT(int)
+admldapGetSSLMax(AdmldapInfo info);
+
PR_IMPLEMENT(char*)
admldapGetHost(AdmldapInfo info);
diff --git a/lib/libadminutil/admutil.c b/lib/libadminutil/admutil.c
index f896655..c8e4f6f 100644
--- a/lib/libadminutil/admutil.c
+++ b/lib/libadminutil/admutil.c
@@ -69,6 +69,8 @@
#include "libadminutil/admutil-int.h"
#include "libadminutil/distadm.h"
#include <ssl.h>
+#include "sslproto.h"
+#include "nss.h"
#if defined(USE_OPENLDAP)
#include <lber.h>
#else
@@ -1527,6 +1529,54 @@ destroyAdmldap(AdmldapInfo info)
}
}
+static int
+getSSLVersion(char *version)
+{
+ if(version == NULL){
+ return 0;
+ }
+
+ if (!strcasecmp(version, "ssl3")){
+ return SSL_LIBRARY_VERSION_3_0;
+ } else if (!strcasecmp(version, "tls1.0")){
+ return SSL_LIBRARY_VERSION_TLS_1_0;
+ } else if (!strcasecmp(version, "tls1.1")){
+ return SSL_LIBRARY_VERSION_TLS_1_1;
+ } else if (!strcasecmp(version, "tls1.2")){
+ return SSL_LIBRARY_VERSION_TLS_1_2;
+ } else if (!strcasecmp(version, "tls1.3")){
+ return SSL_LIBRARY_VERSION_TLS_1_3;
+ } else {
+ return 0;
+ }
+}
+
+PR_IMPLEMENT(int)
+admldapGetSSLMin(AdmldapInfo info)
+{
+ AdmldapHdnlPtr admInfo = (AdmldapHdnlPtr)info;
+ int version = getSSLVersion(treeFindValueAt(admInfo->configInfo,
"sslVersionMin", 0));
+
+ if(!version){
+ return SSL_LIBRARY_VERSION_TLS_1_1;
+ } else {
+ return version;
+ }
+}
+
+PR_IMPLEMENT(int)
+admldapGetSSLMax(AdmldapInfo info)
+{
+ AdmldapHdnlPtr admInfo = (AdmldapHdnlPtr)info;
+ int version = getSSLVersion(treeFindValueAt(admInfo->configInfo,
"sslVersionMax", 0));
+
+ if(!version){
+ return SSL_LIBRARY_VERSION_TLS_1_2;
+ } else {
+ return version;
+ }
+}
+
PR_IMPLEMENT(char*)
admldapGetHost(AdmldapInfo info)
{
diff --git a/lib/libadmsslutil/admsslutil.c b/lib/libadmsslutil/admsslutil.c
index 1ba0dfa..8c4c52b 100644
--- a/lib/libadmsslutil/admsslutil.c
+++ b/lib/libadmsslutil/admsslutil.c
@@ -131,6 +131,8 @@ static int initNSS(const char *securitydir, AdmldapInfo info)
char *custom_file_copy = NULL;
PRUint32 flags = 0;
char *db_name;
+ SSLVersionRange range;
+ SSLProtocolVariant variant;
/* PKSC11 module must be configured before NSS is initialized */
db_name = PL_strdup("internal (software) ");
@@ -166,6 +168,11 @@ static int initNSS(const char *securitydir, AdmldapInfo info)
return -1;
}
+ range.min = admldapGetSSLMin(info);
+ range.max = admldapGetSSLMax(info);
+ variant = ssl_variant_stream;
+ SSL_VersionRangeSetDefault(variant, &range);
+
/* set export policy */
if(SSLPLCY_Install() != PR_SUCCESS) {
return -1;