|
 |
f92ce9 |
From 0e32f3731887dbdf9c594a94fee693826f1a96de Mon Sep 17 00:00:00 2001
|
|
|
f92ce9 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
f92ce9 |
Date: Tue, 23 Sep 2014 14:38:00 -0700
|
|
|
f92ce9 |
Subject: [PATCH 10/14] Ticket #47908 - 389-ds 1.3.3.0 does not adjust cipher
|
|
|
f92ce9 |
suite configuration on upgrade, breaks itself and pki-server
|
|
|
f92ce9 |
|
|
|
f92ce9 |
Description:
|
|
|
f92ce9 |
In the given cipher list:
|
|
|
f92ce9 |
nsSSL3Ciphers: +rsa_fips_3des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
|
|
|
f92ce9 |
+rsa_rc4_128_md5,+rsa_des_sha,+rsa_rc2_40_md5,+rsa_rc4_40_md5,
|
|
|
f92ce9 |
+fortezza
|
|
|
f92ce9 |
there were 2 issues.
|
|
|
f92ce9 |
1) An old cipher suite name rsa_des_sha was not correctly mapped
|
|
|
f92ce9 |
to the name supported by NSS (TLS_RSA_WITH_DES_CBC_SHA) in the
|
|
|
f92ce9 |
mapping table. And the unsupported cipher name was not gracefully
|
|
|
f92ce9 |
skipped but returned an error. This patch fixes the mapped name
|
|
|
f92ce9 |
and the behaviour so that it skips the unknown/unsupported cipher.
|
|
|
f92ce9 |
2) A cipher "fortezza" is deprecated. It's now skipped with the
|
|
|
f92ce9 |
proper warning message.
|
|
|
f92ce9 |
|
|
|
f92ce9 |
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
|
|
|
f92ce9 |
|
|
|
f92ce9 |
https://fedorahosted.org/389/ticket/47908
|
|
|
f92ce9 |
(cherry picked from commit 83a6ceb556e769f0d0a201f4a3d783ae3915c6bc)
|
|
|
f92ce9 |
(cherry picked from commit 4e347407887589635fe077fb6174d20d3d34c7c8)
|
|
|
f92ce9 |
---
|
|
|
f92ce9 |
ldap/servers/slapd/ssl.c | 25 ++++++++++++++++---------
|
|
|
f92ce9 |
1 file changed, 16 insertions(+), 9 deletions(-)
|
|
|
f92ce9 |
|
|
|
f92ce9 |
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
|
|
|
f92ce9 |
index 03b5904..4e38308 100644
|
|
|
f92ce9 |
--- a/ldap/servers/slapd/ssl.c
|
|
|
f92ce9 |
+++ b/ldap/servers/slapd/ssl.c
|
|
|
f92ce9 |
@@ -172,7 +172,7 @@ static lookup_cipher _lookup_cipher[] = {
|
|
|
f92ce9 |
{"tls_rsa_3des_sha", "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
|
|
|
f92ce9 |
{"rsa_fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
|
|
|
f92ce9 |
{"fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
|
|
|
f92ce9 |
- {"rsa_des_sha", "SSL_RSA_WITH_DES_CBC_SHA"},
|
|
|
f92ce9 |
+ {"rsa_des_sha", "TLS_RSA_WITH_DES_CBC_SHA"},
|
|
|
f92ce9 |
{"rsa_fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
|
|
|
f92ce9 |
{"fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, /* ditto */
|
|
|
f92ce9 |
{"rsa_rc4_40_md5", "TLS_RSA_EXPORT_WITH_RC4_40_MD5"},
|
|
|
f92ce9 |
@@ -455,7 +455,7 @@ _conf_setciphers(char *ciphers, int flags)
|
|
|
f92ce9 |
char *raw = ciphers;
|
|
|
f92ce9 |
char **suplist = NULL;
|
|
|
f92ce9 |
char **unsuplist = NULL;
|
|
|
f92ce9 |
- int lookup;
|
|
|
f92ce9 |
+ PRBool enabledOne = PR_FALSE;
|
|
|
f92ce9 |
|
|
|
f92ce9 |
/* #47838: harden the list of ciphers available by default */
|
|
|
f92ce9 |
/* Default is to activate all of them ==> none of them*/
|
|
|
f92ce9 |
@@ -474,6 +474,7 @@ _conf_setciphers(char *ciphers, int flags)
|
|
|
f92ce9 |
* from the console
|
|
|
f92ce9 |
*/
|
|
|
f92ce9 |
_conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags), &suplist, NULL);
|
|
|
f92ce9 |
+ enabledOne = PR_TRUE;
|
|
|
f92ce9 |
} else {
|
|
|
f92ce9 |
/* If "+all" is not in nsSSL3Ciphers value, disable all first,
|
|
|
f92ce9 |
* then enable specified ciphers. */
|
|
|
f92ce9 |
@@ -499,7 +500,7 @@ _conf_setciphers(char *ciphers, int flags)
|
|
|
f92ce9 |
|
|
|
f92ce9 |
if (strcasecmp(ciphers, "all")) { /* if not all */
|
|
|
f92ce9 |
PRBool enabled = active ? PR_TRUE : PR_FALSE;
|
|
|
f92ce9 |
- lookup = 1;
|
|
|
f92ce9 |
+ int lookup = 1;
|
|
|
f92ce9 |
for (x = 0; _conf_ciphers[x].name; x++) {
|
|
|
f92ce9 |
if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
|
|
|
f92ce9 |
if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
|
|
|
f92ce9 |
@@ -558,6 +559,9 @@ _conf_setciphers(char *ciphers, int flags)
|
|
|
f92ce9 |
enabled = cipher_check_fips(x, NULL, &unsuplist);
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
+ if (enabled) {
|
|
|
f92ce9 |
+ enabledOne = PR_TRUE; /* At least one active cipher is set. */
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
|
|
|
f92ce9 |
break;
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
@@ -566,15 +570,14 @@ _conf_setciphers(char *ciphers, int flags)
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
- if(!_conf_ciphers[x].name) {
|
|
|
f92ce9 |
- PR_snprintf(err, sizeof(err), "unknown cipher %s", ciphers);
|
|
|
f92ce9 |
- slapi_ch_free((void **)&suplist); /* strings inside are static */
|
|
|
f92ce9 |
- slapi_ch_free((void **)&unsuplist); /* strings inside are static */
|
|
|
f92ce9 |
- return slapi_ch_strdup(err);
|
|
|
f92ce9 |
+ if (!lookup && !_conf_ciphers[x].name) { /* If lookup, it's already reported. */
|
|
|
f92ce9 |
+ slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d. Ignoring %s",
|
|
|
f92ce9 |
+ ciphers, NSS_VMAJOR, NSS_VMINOR, ciphers);
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
- if(t)
|
|
|
f92ce9 |
+ if(t) {
|
|
|
f92ce9 |
ciphers = t;
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
if (unsuplist && *unsuplist) {
|
|
|
f92ce9 |
char *strsup = charray2str(suplist, ",");
|
|
|
f92ce9 |
@@ -592,6 +595,10 @@ _conf_setciphers(char *ciphers, int flags)
|
|
|
f92ce9 |
slapi_ch_free((void **)&suplist); /* strings inside are static */
|
|
|
f92ce9 |
slapi_ch_free((void **)&unsuplist); /* strings inside are static */
|
|
|
f92ce9 |
|
|
|
f92ce9 |
+ if (!enabledOne) {
|
|
|
f92ce9 |
+ char *nocipher = PR_smprintf("No active cipher suite is available.");
|
|
|
f92ce9 |
+ return nocipher;
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
_conf_dumpciphers();
|
|
|
f92ce9 |
|
|
|
f92ce9 |
return NULL;
|
|
|
f92ce9 |
--
|
|
|
f92ce9 |
1.9.3
|
|
|
f92ce9 |
|