From dd2dc9218ec91589f03c89f4f38fe2927bf5e3ab Mon Sep 17 00:00:00 2001

From: Noriko Hosoi <nhosoi@redhat.com>

Date: Wed, 10 Sep 2014 18:56:43 -0700

Subject: [PATCH 6/7] Ticket #47895 - If no effective ciphers are available,

 disable security setting.

Description: If nsslapd-security is "on" and nsSSL3Ciphers is given

AND none of the ciphers are available or some syntax error is detected,

the server sets nsslapd-security "off" and starts up.

https://fedorahosted.org/389/ticket/47895

Reviewed by nkinder@redhat.com (Thank you, Nathan!!)

(cherry picked from commit 0f1a203a0fe85f3cf0440006685f63409502f093)

(cherry picked from commit cad5b96507caf9e08a12285c52d0353f8e6dcc3b)

---

 ldap/servers/slapd/main.c | 42 ++++++++++++++++++++++++++++++------------

 1 file changed, 30 insertions(+), 12 deletions(-)

diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c

index d577514..6bad2a0 100644

--- a/ldap/servers/slapd/main.c

+++ b/ldap/servers/slapd/main.c

@@ -3077,6 +3077,24 @@ slapd_debug_level_usage( void )

 }

 #endif /* LDAP_DEBUG */

+static int

+force_to_disable_security(const char *what, int *init_ssl, daemon_ports_t *ports_info)

+{

+	char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];

+	errorbuf[0] = '\0';

+

+    LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: %s Initialization Failed.  Disabling %s.\n", what, what);

+    ports_info->s_socket = SLAPD_INVALID_SOCKET;

+    ports_info->s_port = 0;

+    *init_ssl = 0;

+    if (config_set_security(CONFIG_SECURITY_ATTRIBUTE, "off", errorbuf, 1)) {

+        LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: Failed to disable %s: \"%s\".\n", 

+                       CONFIG_SECURITY_ATTRIBUTE, errorbuf[0]?errorbuf:"no error message");

+        return 1;

+    }

+	return 0;

+}

+

 /*

   This function does all NSS and SSL related initialization

   required during startup.  We use this function rather

@@ -3113,20 +3131,20 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt,

 	 * modules can assume NSS is available

 	 */

 	if ( slapd_nss_init((slapd_exemode == SLAPD_EXEMODE_SLAPD),

-                        (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {

-        LDAPDebug(LDAP_DEBUG_ANY,

-                  "ERROR: NSS Initialization Failed.\n", 0, 0, 0);

-        return 1;

+	                    (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {

+	    if (force_to_disable_security("NSS", &init_ssl, ports_info)) {

+	        return 1;

+	    }

 	}

 	if (slapd_exemode == SLAPD_EXEMODE_SLAPD) {

         client_auth_init();

 	}

-	if ( init_ssl && ( 0 != slapd_ssl_init())) {

-		LDAPDebug(LDAP_DEBUG_ANY,

-                  "ERROR: SSL Initialization Failed.\n", 0, 0, 0 );

-		return 1;

+	if (init_ssl && slapd_ssl_init()) {

+	    if (force_to_disable_security("SSL", &init_ssl, ports_info)) {

+	        return 1;

+	    }

 	}

 	if ((slapd_exemode == SLAPD_EXEMODE_SLAPD) ||

@@ -3134,10 +3152,10 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt,

 		if ( init_ssl ) {

 			PRFileDesc **sock;

 			for (sock = ports_info->s_socket; sock && *sock; sock++) {

-				if ( 0 != slapd_ssl_init2(sock, 0) ) {

-					LDAPDebug(LDAP_DEBUG_ANY,

-                              "ERROR: SSL Initialization phase 2 Failed.\n", 0, 0, 0 );

-					return 1;

+				if ( slapd_ssl_init2(sock, 0) ) {

+				    if (force_to_disable_security("SSL2", &init_ssl, ports_info)) {

+				        return 1;

+				    }

 				}

 			}

 		}

-- 

1.9.3