Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Backports:SLE-15
mozldap
mozldap-6.0.7-support-tls1.1-and-later.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File mozldap-6.0.7-support-tls1.1-and-later.patch of Package mozldap
From e151b116410feab82847740693f55233a19c8661 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi <nhosoi@redhat.com> Date: Mon, 3 Nov 2014 14:57:04 -0800 Subject: Disable SSL3 - Support TLS 1.1 and newer using the NSS Version Range APIs. Index: mozldap-6.0.7/c-sdk/ldap/libraries/libssldap/ldapsinit.c =================================================================== --- mozldap-6.0.7.orig/c-sdk/ldap/libraries/libssldap/ldapsinit.c +++ mozldap-6.0.7/c-sdk/ldap/libraries/libssldap/ldapsinit.c @@ -60,6 +60,7 @@ #include <errno.h> #include <nspr.h> +#include <nss.h> #include <cert.h> #include <key.h> #include <ssl.h> @@ -71,6 +72,19 @@ #include <ldap_ssl.h> #include <ldappr.h> #include <pk11func.h> + +#if NSS_VMAJOR * 100 + NSS_VMINOR >= 314 +/* TLS1.1 is defined in RFC4346. */ +#define NSS_TLS11 1 +static SSLVersionRange enabledNSSVersions; +static SSLVersionRange ldapNSSVersions; +#else +/* + * * TLS1.0 is defined in RFC2246. + * * Close to SSL 3.0. + * */ +#define NSS_TLS10 1 +#endif /* * Macro that determines how many SSL options we support. As of June, 2002 @@ -248,6 +262,18 @@ ldapssl_connect(const char *hostlist, in LDAPSSLSocketInfo *ssoip = NULL; LDAPSSLSessionInfo *sseip; PRFileDesc *sslfd = NULL; +#if defined(NSS_TLS11) + SECStatus sslStatus = SECSuccess; + char *s = getenv("LDAPSSL_ALLOW_OLD_SSL_VERSION"); + /* Get the range of the supported SSL version */ + SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions); + if (s) { + ldapNSSVersions.min = enabledNSSVersions.min; + } else { + ldapNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_1; + } + ldapNSSVersions.max = enabledNSSVersions.max; +#endif /* * Determine if secure option is set. Also, clear secure bit in options @@ -306,7 +332,16 @@ ldapssl_connect(const char *hostlist, in goto close_socket_and_exit_with_error; } +#if defined(NSS_TLS11) + sslStatus = SSL_VersionRangeSet(sslfd, &ldapNSSVersions); + if (sslStatus != SECSuccess) { + goto close_socket_and_exit_with_error; + } +#endif if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess || +#if defined(NSS_TLS10) + SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) || +#endif SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure ) != SECSuccess || ( secure && SSL_ResetHandshake( sslfd, PR_FALSE ) != SECSuccess )) { @@ -516,6 +551,18 @@ ldaptls_complete(LDAP *ld) int rc = LDAP_LOCAL_ERROR; char *hostlist = NULL; struct lextiof_socket_private *socketargp = NULL; +#if defined(NSS_TLS11) + SECStatus sslStatus = SECSuccess; + char *s = getenv("LDAPSSL_ALLOW_OLD_SSL_VERSION"); + /* Get the range of the supported SSL version */ + SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions); + if (s) { + ldapNSSVersions.min = enabledNSSVersions.min; + } else { + ldapNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_1; + } + ldapNSSVersions.max = enabledNSSVersions.max; +#endif /* * Get hostlist from LDAP Handle @@ -581,8 +628,16 @@ ldaptls_complete(LDAP *ld) goto close_socket_and_exit_with_error; } +#if defined(NSS_TLS11) + sslStatus = SSL_VersionRangeSet(sslfd, &ldapNSSVersions); + if (sslStatus != SECSuccess) { + goto close_socket_and_exit_with_error; + } +#endif if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess || +#if defined(NSS_TLS10) SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) != SECSuccess || +#endif SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure ) != SECSuccess || ( secure && SSL_ResetHandshake( sslfd, PR_FALSE ) != SECSuccess ) ) { rc = LDAP_LOCAL_ERROR; @@ -1371,11 +1426,23 @@ ldapssl_import_fd ( LDAP *ld, int secure LDAPSSLSocketInfo *ssoip = NULL; LDAPSSLSessionInfo *sseip; PRFileDesc *sslfd = NULL; - LBER_SOCKET intfd = -1; - char *hostlist; - struct lextiof_socket_private *socketargp; + LBER_SOCKET intfd = -1; + char *hostlist; + struct lextiof_socket_private *socketargp; +#if defined(NSS_TLS11) + SECStatus sslStatus = SECSuccess; + char *s = getenv("LDAPSSL_ALLOW_OLD_SSL_VERSION"); + /* Get the range of the supported SSL version */ + SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions); + if (s) { + ldapNSSVersions.min = enabledNSSVersions.min; + } else { + ldapNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_1; + } + ldapNSSVersions.max = enabledNSSVersions.max; +#endif - /* + /* * Get hostlist from LDAP Handle */ if ( ldap_get_option(ld, LDAP_OPT_HOST_NAME, &hostlist) < 0 ) { @@ -1432,8 +1499,16 @@ ldapssl_import_fd ( LDAP *ld, int secure goto reset_socket_and_exit_with_error; } +#if defined(NSS_TLS11) + sslStatus = SSL_VersionRangeSet(sslfd, &ldapNSSVersions); + if (sslStatus != SECSuccess) { + goto reset_socket_and_exit_with_error; + } +#endif if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess || - SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) || +#if defined(NSS_TLS10) + SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) || +#endif SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure ) != SECSuccess || ( secure && SSL_ResetHandshake( sslfd, PR_FALSE ) != SECSuccess )) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor