andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone
Source Code
GIT

Blame 0171-Ticket-47637-rsa_null_sha-should-not-be-enabled-by-d.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-1.4 c8-stream-1.4 c8s-stream-1.4 c8s-stream-ds c9 c9-beta
  1.   c6
  2.   0171-Ticket-47637-rsa_null_sha-should-not-be-enabled-by-d.patch
Blob History Raw
dc8c34 
From 17c8ba1043232ab5223693d283763eebc331c99a Mon Sep 17 00:00:00 2001
dc8c34 
From: Mark Reynolds <mreynolds@redhat.com>
dc8c34 
Date: Thu, 6 Mar 2014 11:07:24 -0500
dc8c34 
Subject: [PATCH 171/225] Ticket 47637 - rsa_null_sha should not be enabled by
dc8c34 
 default
dc8c34
dc8c34 
Bug Description:  rsa_null_sha is enabled by default, this can allow unencrypted
dc8c34 
                  traffic over a TLS connection.
dc8c34
dc8c34 
Fix Description:  Disable rsa_null_sha, just like rsa_null_md5, by default.
dc8c34
dc8c34 
https://fedorahosted.org/389/ticket/47637
dc8c34
dc8c34 
Reviewed by: rmeggins(Thanks!)
dc8c34 
(cherry picked from commit 82b12c97afd34ecc8acfe54baaf0f32bd83a7edf)
dc8c34 
(cherry picked from commit 6a24433cd264faa5e78b94bcd11b39d945f38069)
dc8c34 
---
dc8c34 
 ldap/servers/slapd/ssl.c | 15 +++++++++++----
dc8c34 
 1 file changed, 11 insertions(+), 4 deletions(-)
dc8c34
dc8c34 
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
dc8c34 
index 61809aa..bbadf93 100644
dc8c34 
--- a/ldap/servers/slapd/ssl.c
dc8c34 
+++ b/ldap/servers/slapd/ssl.c
dc8c34 
@@ -135,8 +135,8 @@ static cipherstruct _conf_ciphers[] = {
dc8c34 
     {"SSL3","fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA}, /* ditto */
dc8c34 
     {"SSL3","rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5},
dc8c34 
     {"SSL3","rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5},
dc8c34 
-    {"SSL3","rsa_null_md5", SSL_RSA_WITH_NULL_MD5},
dc8c34 
-    {"SSL3","rsa_null_sha", SSL_RSA_WITH_NULL_SHA},
dc8c34 
+    {"SSL3","rsa_null_md5", SSL_RSA_WITH_NULL_MD5}, /* disabled by default */
dc8c34 
+    {"SSL3","rsa_null_sha", SSL_RSA_WITH_NULL_SHA}, /* disabled by default */
dc8c34 
     {"TLS","tls_rsa_export1024_with_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},
dc8c34 
     {"TLS","rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA}, /* ditto */
dc8c34 
     {"TLS","tls_rsa_export1024_with_des_cbc_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA},
dc8c34 
@@ -265,7 +265,9 @@ _conf_setallciphers(int active, char ***suplist, char ***unsuplist)
dc8c34 
      *       them to activate it by name. */
dc8c34 
     for(x = 0; _conf_ciphers[x].name; x++)  {
dc8c34 
         PRBool enabled = active ? PR_TRUE : PR_FALSE;
dc8c34 
-        if(active && !strcmp(_conf_ciphers[x].name, "rsa_null_md5"))  {
dc8c34 
+        if(active && (!strcmp(_conf_ciphers[x].name, "rsa_null_md5") ||
dc8c34 
+                      !strcmp(_conf_ciphers[x].name, "rsa_null_sha")))
dc8c34 
+        {
dc8c34 
             continue;
dc8c34 
         }
dc8c34 
         if (enabled) {
dc8c34 
@@ -317,7 +319,12 @@ _conf_setciphers(char *ciphers)
dc8c34 
         slapi_ch_free((void **)&suplist); /* strings inside are static */
dc8c34 
         return NULL;
dc8c34 
     }
dc8c34 
-/* Enable all the ciphers by default and the following while loop would disable the user disabled ones This is needed becuase we added a new set of ciphers in the table . Right now there is no support for this from the console */
dc8c34 
+    /*
dc8c34 
+     * Enable all the ciphers by default and the following while loop would
dc8c34 
+     * disable the user disabled ones.  This is needed because we added a new
dc8c34 
+     * set of ciphers in the table. Right now there is no support for this
dc8c34 
+     * from the console
dc8c34 
+     */
dc8c34 
     _conf_setallciphers(1, &suplist, NULL);
dc8c34
dc8c34 
     t = ciphers;
dc8c34 
--
dc8c34 
1.8.1.4
dc8c34

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation