Implement new API for setting TLS protocol version.

The code being deleted has been misplaced and it's effect has been

mangled by a code later on. This patch puts the code at the correct

place and introduces some more logging and error checking.

Author: Matus Honek <mhonek@redhat.com>

RHBZ: #1249093

diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c

--- a/libraries/libldap/tls_m.c

+++ b/libraries/libldap/tls_m.c

@@ -2019,16 +2019,6 @@ tlsm_deferred_init( void *arg )

 			}

 		}

-		/*

-		 * Set the SSL version range.  MozNSS SSL versions are the same as openldap's:

-		 *

-		 * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*

-		 */

-		SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */

-		range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;

-		variant = ssl_variant_stream;

-		SSL_VersionRangeSetDefault(variant, &range);

-

 		NSS_SetDomesticPolicy();

 		PK11_SetPasswordFunc( tlsm_pin_prompt );

@@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg )

 		       0, 0, 0 );

 		return -1;

 	}

+	if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) {

+		SSLVersionRange supported_range, default_range, selected_range;

+		if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) {

+			Debug( LDAP_DEBUG_ANY,

+			       "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n",

+			       0, 0, 0 );

+			return -1;

+		} else {

+			Debug( LDAP_DEBUG_ANY,

+			       "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n",

+			       supported_range.min, supported_range.max, 0);

+		}

+		if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) {

+			Debug( LDAP_DEBUG_ANY,

+			       "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n",

+			       0, 0, 0 );

+			return -1;

+		} else {

+			Debug( LDAP_DEBUG_ANY,

+			       "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n",

+			       default_range.min, default_range.max, 0);

+		}

+		selected_range.min = lt->lt_protocol_min;

+		selected_range.max = supported_range.max;

+		Debug( LDAP_DEBUG_ANY,

+		       "TLS: info: TLS configured protocol minimal version is %#04x.\n",

+		       selected_range.min, selected_range.max, 0);

+		if ( (selected_range.min > supported_range.max) ||

+		     (selected_range.max < supported_range.min) ) {

+			Debug( LDAP_DEBUG_ANY,

+			       "TLS: error: selected protocol version range out of NSS-supported version range.\n",

+			       0, 0, 0);

+			return -1;

+		} else {

+			if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) {

+				Debug( LDAP_DEBUG_ANY,

+				       "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n",

+				       0, 0, 0);

+				return -1;

+			}

+			if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) {

+				Debug( LDAP_DEBUG_ANY,

+				       "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n",

+				       0, 0, 0);

+				return -1;

+			} else {

+				Debug( LDAP_DEBUG_ANY,

+				       "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n",

+				       selected_range.min, selected_range.max, 0);

+			}

+		}

+	}

 	if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) {

  		Debug( LDAP_DEBUG_ANY,