From f9592d83d8804ba9f39912679f6c87bc343ec719 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Wed, 21 Jan 2015 17:36:29 -0800
Subject: [PATCH 302/305] Ticket #47996 - ldclt needs to support SSL Version
range
Description: ldclt did not have a code to set the enabled SSL version.
This patch sets the range.min and range.max based upon the range that
the linked NSS provides.
https://fedorahosted.org/389/ticket/47996
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit 7c30e11f6f337472dace6f146845bb14f5601e2b)
(cherry picked from commit 6431142506a05e9ef4c095b538d7d852f176e300)
(cherry picked from commit cef5810bd981d2080820ce58f20504fbfd95c54c)
(cherry picked from commit d26ed48cb78c034462757dece5dfcb2ef569bdd1)
---
ldap/servers/slapd/tools/ldclt/ldapfct.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/ldap/servers/slapd/tools/ldclt/ldapfct.c b/ldap/servers/slapd/tools/ldclt/ldapfct.c
index 8fd3304..1c9aea0 100644
--- a/ldap/servers/slapd/tools/ldclt/ldapfct.c
+++ b/ldap/servers/slapd/tools/ldclt/ldapfct.c
@@ -275,6 +275,7 @@ int ldclt_build_control( char *oid, BerElement *ber, int freeber, char iscritica
#endif
int ldclt_alloc_ber( LDAP *ld, BerElement **berp );
+static SSLVersionRange enabledNSSVersions;
/* ****************************************************************************
FUNCTION : my_ldap_err2string
@@ -647,14 +648,6 @@ ldclt_clientauth(thread_context *tttctx, LDAP *ld, const char *path, const char
thrdNum = tttctx->thrdNum;
}
- rc = NSS_Initialize(path, "", "", SECMOD_DB, NSS_INIT_READONLY);
- if (rc != SECSuccess) {
- printf ("ldclt[%d]: T%03d: Cannot NSS_Initialize(%s) %d\n",
- mctx.pid, thrdNum, path, PR_GetError());
- fflush(stdout);
- goto done;
- }
-
if ((colon = PL_strchr(certname, ':' ))) {
token_name = PL_strndup(certname, colon-certname);
}
@@ -741,6 +734,7 @@ connectToLDAP(thread_context *tttctx, const char *bufBindDN, const char *bufPass
int thrdNum = 0;
int ret = -1;
int binded = 0;
+ SSLVersionRange range;
if (tttctx) {
thrdNum = tttctx->thrdNum;
@@ -787,6 +781,21 @@ connectToLDAP(thread_context *tttctx, const char *bufBindDN, const char *bufPass
free(certdir);
goto done;
}
+ /* Initialize NSS */
+ ret = NSS_Initialize(certdir, "", "", SECMOD_DB, NSS_INIT_READONLY);
+ if (ret != SECSuccess) {
+ printf ("ldclt[%d]: T%03d: Cannot NSS_Initialize(%s) %d\n",
+ mctx.pid, thrdNum, certdir, PR_GetError());
+ fflush(stdout);
+ goto done;
+ }
+
+ /* Set supported SSL version range. */
+ SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
+ range.min = enabledNSSVersions.min;
+ range.max = enabledNSSVersions.max;
+ SSL_VersionRangeSetDefault(ssl_variant_stream, &range);
+
if ((mode & CLTAUTH) &&
(ret = ldclt_clientauth(tttctx, ld, certdir, mctx.cltcertname, mctx.keydbpin))) {
free(certdir);
--
1.9.3