|
 |
ab20a9 |
From 3e11020fa7a79d335a02c001435aabcf59aaa622 Mon Sep 17 00:00:00 2001
|
|
|
ab20a9 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
ab20a9 |
Date: Fri, 24 Jul 2020 12:14:44 -0400
|
|
|
ab20a9 |
Subject: [PATCH] Issue 51129 - SSL alert: The value of sslVersionMax "TLS1.3"
|
|
|
ab20a9 |
is higher than the supported version
|
|
|
ab20a9 |
|
|
|
ab20a9 |
Bug Description: If you try and set the sslVersionMax higher than the
|
|
|
ab20a9 |
default range, but within the supported range, you
|
|
|
ab20a9 |
would still get an error and the server would reset
|
|
|
ab20a9 |
the max to "default" max value.
|
|
|
ab20a9 |
|
|
|
ab20a9 |
Fix Description: Keep track of both the supported and default SSL ranges,
|
|
|
ab20a9 |
and correctly use each range for value validation. If
|
|
|
ab20a9 |
the value is outside the supported range, then use default
|
|
|
ab20a9 |
value, etc, but do not check the requested range against
|
|
|
ab20a9 |
the default range. We only use the default range if
|
|
|
ab20a9 |
there is no specified min or max in the config, or if
|
|
|
ab20a9 |
a invalid min or max value is set in the config.
|
|
|
ab20a9 |
|
|
|
ab20a9 |
Also, refactored the range variable names to be more
|
|
|
ab20a9 |
accurate:
|
|
|
ab20a9 |
|
|
|
ab20a9 |
enabledNSSVersions --> defaultNSSVersions
|
|
|
ab20a9 |
emin, emax --> dmin, dmax
|
|
|
ab20a9 |
|
|
|
ab20a9 |
relates: https://pagure.io/389-ds-base/issue/51129
|
|
|
ab20a9 |
|
|
|
ab20a9 |
Reviewed by: firstyear(Thanks!)
|
|
|
ab20a9 |
---
|
|
|
ab20a9 |
ldap/servers/slapd/ssl.c | 155 ++++++++++++++++----------------
|
|
|
ab20a9 |
src/lib389/lib389/dirsrv_log.py | 2 +-
|
|
|
ab20a9 |
2 files changed, 81 insertions(+), 76 deletions(-)
|
|
|
ab20a9 |
|
|
|
ab20a9 |
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
|
|
|
ab20a9 |
index 846106b42..7206cafd2 100644
|
|
|
ab20a9 |
--- a/ldap/servers/slapd/ssl.c
|
|
|
ab20a9 |
+++ b/ldap/servers/slapd/ssl.c
|
|
|
ab20a9 |
@@ -50,11 +50,11 @@
|
|
|
ab20a9 |
******************************************************************************/
|
|
|
ab20a9 |
|
|
|
ab20a9 |
#define DEFVERSION "TLS1.2"
|
|
|
ab20a9 |
-#define CURRENT_DEFAULT_SSL_VERSION SSL_LIBRARY_VERSION_TLS_1_2
|
|
|
ab20a9 |
|
|
|
ab20a9 |
extern char *slapd_SSL3ciphers;
|
|
|
ab20a9 |
extern symbol_t supported_ciphers[];
|
|
|
ab20a9 |
-static SSLVersionRange enabledNSSVersions;
|
|
|
ab20a9 |
+static SSLVersionRange defaultNSSVersions;
|
|
|
ab20a9 |
+static SSLVersionRange supportedNSSVersions;
|
|
|
ab20a9 |
static SSLVersionRange slapdNSSVersions;
|
|
|
ab20a9 |
|
|
|
ab20a9 |
|
|
|
ab20a9 |
@@ -1014,15 +1014,24 @@ slapd_nss_init(int init_ssl __attribute__((unused)), int config_available __attr
|
|
|
ab20a9 |
int create_certdb = 0;
|
|
|
ab20a9 |
PRUint32 nssFlags = 0;
|
|
|
ab20a9 |
char *certdir;
|
|
|
ab20a9 |
- char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
|
|
|
ab20a9 |
- /* Get the range of the supported SSL version */
|
|
|
ab20a9 |
- SSL_VersionRangeGetDefault(ssl_variant_stream, &enabledNSSVersions);
|
|
|
ab20a9 |
+ char dmin[VERSION_STR_LENGTH], dmax[VERSION_STR_LENGTH];
|
|
|
ab20a9 |
+ char smin[VERSION_STR_LENGTH], smax[VERSION_STR_LENGTH];
|
|
|
ab20a9 |
|
|
|
ab20a9 |
- (void)slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
|
|
|
ab20a9 |
- (void)slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
|
|
|
ab20a9 |
+ /* Get the range of the supported SSL version */
|
|
|
ab20a9 |
+ SSL_VersionRangeGetSupported(ssl_variant_stream, &supportedNSSVersions);
|
|
|
ab20a9 |
+ (void)slapi_getSSLVersion_str(supportedNSSVersions.min, smin, sizeof(smin));
|
|
|
ab20a9 |
+ (void)slapi_getSSLVersion_str(supportedNSSVersions.max, smax, sizeof(smax));
|
|
|
ab20a9 |
+
|
|
|
ab20a9 |
+ /* Get the enabled default range */
|
|
|
ab20a9 |
+ SSL_VersionRangeGetDefault(ssl_variant_stream, &defaultNSSVersions);
|
|
|
ab20a9 |
+ (void)slapi_getSSLVersion_str(defaultNSSVersions.min, dmin, sizeof(dmin));
|
|
|
ab20a9 |
+ (void)slapi_getSSLVersion_str(defaultNSSVersions.max, dmax, sizeof(dmax));
|
|
|
ab20a9 |
slapi_log_err(SLAPI_LOG_CONFIG, "Security Initialization",
|
|
|
ab20a9 |
"slapd_nss_init - Supported range by NSS: min: %s, max: %s\n",
|
|
|
ab20a9 |
- emin, emax);
|
|
|
ab20a9 |
+ smin, smax);
|
|
|
ab20a9 |
+ slapi_log_err(SLAPI_LOG_CONFIG, "Security Initialization",
|
|
|
ab20a9 |
+ "slapd_nss_init - Enabled default range by NSS: min: %s, max: %s\n",
|
|
|
ab20a9 |
+ dmin, dmax);
|
|
|
ab20a9 |
|
|
|
ab20a9 |
/* set in slapd_bootstrap_config,
|
|
|
ab20a9 |
thus certdir is available even if config_available is false
|
|
|
ab20a9 |
@@ -1344,21 +1353,21 @@ static int
|
|
|
ab20a9 |
set_NSS_version(char *val, PRUint16 *rval, int ismin)
|
|
|
ab20a9 |
{
|
|
|
ab20a9 |
char *vp;
|
|
|
ab20a9 |
- char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
|
|
|
ab20a9 |
+ char dmin[VERSION_STR_LENGTH], dmax[VERSION_STR_LENGTH];
|
|
|
ab20a9 |
|
|
|
ab20a9 |
if (NULL == rval) {
|
|
|
ab20a9 |
return 1;
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
- (void)slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
|
|
|
ab20a9 |
- (void)slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
|
|
|
ab20a9 |
+ (void)slapi_getSSLVersion_str(defaultNSSVersions.min, dmin, sizeof(dmin));
|
|
|
ab20a9 |
+ (void)slapi_getSSLVersion_str(defaultNSSVersions.max, dmax, sizeof(dmax));
|
|
|
ab20a9 |
|
|
|
ab20a9 |
if (!strncasecmp(val, SSLSTR, SSLLEN)) { /* ssl# NOT SUPPORTED */
|
|
|
ab20a9 |
if (ismin) {
|
|
|
ab20a9 |
- slapd_SSL_warn("SSL3 is no longer supported. Using NSS default min value: %s\n", emin);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.min;
|
|
|
ab20a9 |
+ slapd_SSL_warn("SSL3 is no longer supported. Using NSS default min value: %s", dmin);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.min;
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
- slapd_SSL_warn("SSL3 is no longer supported. Using NSS default max value: %s\n", emax);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.max;
|
|
|
ab20a9 |
+ slapd_SSL_warn("SSL3 is no longer supported. Using NSS default max value: %s", dmax);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.max;
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
} else if (!strncasecmp(val, TLSSTR, TLSLEN)) { /* tls# */
|
|
|
ab20a9 |
float tlsv;
|
|
|
ab20a9 |
@@ -1366,122 +1375,122 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
|
|
|
ab20a9 |
sscanf(vp, "%4f", &tlsv);
|
|
|
ab20a9 |
if (tlsv < 1.1f) { /* TLS1.0 */
|
|
|
ab20a9 |
if (ismin) {
|
|
|
ab20a9 |
- if (enabledNSSVersions.min > CURRENT_DEFAULT_SSL_VERSION) {
|
|
|
ab20a9 |
+ if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
|
|
|
ab20a9 |
slapd_SSL_warn("The value of sslVersionMin "
|
|
|
ab20a9 |
"\"%s\" is lower than the supported version; "
|
|
|
ab20a9 |
"the default value \"%s\" is used.",
|
|
|
ab20a9 |
- val, emin);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.min;
|
|
|
ab20a9 |
+ val, dmin);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.min;
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
(*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
- if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
|
|
|
ab20a9 |
+ if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_0) {
|
|
|
ab20a9 |
/* never happens */
|
|
|
ab20a9 |
slapd_SSL_warn("The value of sslVersionMax "
|
|
|
ab20a9 |
"\"%s\" is higher than the supported version; "
|
|
|
ab20a9 |
"the default value \"%s\" is used.",
|
|
|
ab20a9 |
- val, emax);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.max;
|
|
|
ab20a9 |
+ val, dmax);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.max;
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
(*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
} else if (tlsv < 1.2f) { /* TLS1.1 */
|
|
|
ab20a9 |
if (ismin) {
|
|
|
ab20a9 |
- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_1) {
|
|
|
ab20a9 |
+ if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_1) {
|
|
|
ab20a9 |
slapd_SSL_warn("The value of sslVersionMin "
|
|
|
ab20a9 |
"\"%s\" is lower than the supported version; "
|
|
|
ab20a9 |
"the default value \"%s\" is used.",
|
|
|
ab20a9 |
- val, emin);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.min;
|
|
|
ab20a9 |
+ val, dmin);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.min;
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
(*rval) = SSL_LIBRARY_VERSION_TLS_1_1;
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
|
|
|
ab20a9 |
+ if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
|
|
|
ab20a9 |
/* never happens */
|
|
|
ab20a9 |
slapd_SSL_warn("The value of sslVersionMax "
|
|
|
ab20a9 |
"\"%s\" is higher than the supported version; "
|
|
|
ab20a9 |
"the default value \"%s\" is used.",
|
|
|
ab20a9 |
- val, emax);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.max;
|
|
|
ab20a9 |
+ val, dmax);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.max;
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
(*rval) = SSL_LIBRARY_VERSION_TLS_1_1;
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
} else if (tlsv < 1.3f) { /* TLS1.2 */
|
|
|
ab20a9 |
if (ismin) {
|
|
|
ab20a9 |
- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) {
|
|
|
ab20a9 |
+ if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) {
|
|
|
ab20a9 |
slapd_SSL_warn("The value of sslVersionMin "
|
|
|
ab20a9 |
"\"%s\" is lower than the supported version; "
|
|
|
ab20a9 |
"the default value \"%s\" is used.",
|
|
|
ab20a9 |
- val, emin);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.min;
|
|
|
ab20a9 |
+ val, dmin);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.min;
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
(*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_2) {
|
|
|
ab20a9 |
+ if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_2) {
|
|
|
ab20a9 |
/* never happens */
|
|
|
ab20a9 |
slapd_SSL_warn("The value of sslVersionMax "
|
|
|
ab20a9 |
"\"%s\" is higher than the supported version; "
|
|
|
ab20a9 |
"the default value \"%s\" is used.",
|
|
|
ab20a9 |
- val, emax);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.max;
|
|
|
ab20a9 |
+ val, dmax);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.max;
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
(*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
} else if (tlsv < 1.4f) { /* TLS1.3 */
|
|
|
ab20a9 |
- if (ismin) {
|
|
|
ab20a9 |
- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_3) {
|
|
|
ab20a9 |
- slapd_SSL_warn("The value of sslVersionMin "
|
|
|
ab20a9 |
- "\"%s\" is lower than the supported version; "
|
|
|
ab20a9 |
- "the default value \"%s\" is used.",
|
|
|
ab20a9 |
- val, emin);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.min;
|
|
|
ab20a9 |
- } else {
|
|
|
ab20a9 |
- (*rval) = SSL_LIBRARY_VERSION_TLS_1_3;
|
|
|
ab20a9 |
- }
|
|
|
ab20a9 |
- } else {
|
|
|
ab20a9 |
- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_3) {
|
|
|
ab20a9 |
- /* never happens */
|
|
|
ab20a9 |
- slapd_SSL_warn("The value of sslVersionMax "
|
|
|
ab20a9 |
- "\"%s\" is higher than the supported version; "
|
|
|
ab20a9 |
- "the default value \"%s\" is used.",
|
|
|
ab20a9 |
- val, emax);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.max;
|
|
|
ab20a9 |
- } else {
|
|
|
ab20a9 |
- (*rval) = SSL_LIBRARY_VERSION_TLS_1_3;
|
|
|
ab20a9 |
- }
|
|
|
ab20a9 |
- }
|
|
|
ab20a9 |
+ if (ismin) {
|
|
|
ab20a9 |
+ if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_3) {
|
|
|
ab20a9 |
+ slapd_SSL_warn("The value of sslVersionMin "
|
|
|
ab20a9 |
+ "\"%s\" is lower than the supported version; "
|
|
|
ab20a9 |
+ "the default value \"%s\" is used.",
|
|
|
ab20a9 |
+ val, dmin);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.min;
|
|
|
ab20a9 |
+ } else {
|
|
|
ab20a9 |
+ (*rval) = SSL_LIBRARY_VERSION_TLS_1_3;
|
|
|
ab20a9 |
+ }
|
|
|
ab20a9 |
+ } else {
|
|
|
ab20a9 |
+ if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_3) {
|
|
|
ab20a9 |
+ /* never happens */
|
|
|
ab20a9 |
+ slapd_SSL_warn("The value of sslVersionMax "
|
|
|
ab20a9 |
+ "\"%s\" is higher than the supported version; "
|
|
|
ab20a9 |
+ "the default value \"%s\" is used.",
|
|
|
ab20a9 |
+ val, dmax);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.max;
|
|
|
ab20a9 |
+ } else {
|
|
|
ab20a9 |
+ (*rval) = SSL_LIBRARY_VERSION_TLS_1_3;
|
|
|
ab20a9 |
+ }
|
|
|
ab20a9 |
+ }
|
|
|
ab20a9 |
} else { /* Specified TLS is newer than supported */
|
|
|
ab20a9 |
if (ismin) {
|
|
|
ab20a9 |
slapd_SSL_warn("The value of sslVersionMin "
|
|
|
ab20a9 |
"\"%s\" is out of the range of the supported version; "
|
|
|
ab20a9 |
"the default value \"%s\" is used.",
|
|
|
ab20a9 |
- val, emin);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.min;
|
|
|
ab20a9 |
+ val, dmin);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.min;
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
slapd_SSL_warn("The value of sslVersionMax "
|
|
|
ab20a9 |
"\"%s\" is out of the range of the supported version; "
|
|
|
ab20a9 |
"the default value \"%s\" is used.",
|
|
|
ab20a9 |
- val, emax);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.max;
|
|
|
ab20a9 |
+ val, dmax);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.max;
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
if (ismin) {
|
|
|
ab20a9 |
slapd_SSL_warn("The value of sslVersionMin "
|
|
|
ab20a9 |
"\"%s\" is invalid; the default value \"%s\" is used.",
|
|
|
ab20a9 |
- val, emin);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.min;
|
|
|
ab20a9 |
+ val, dmin);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.min;
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
slapd_SSL_warn("The value of sslVersionMax "
|
|
|
ab20a9 |
"\"%s\" is invalid; the default value \"%s\" is used.",
|
|
|
ab20a9 |
- val, emax);
|
|
|
ab20a9 |
- (*rval) = enabledNSSVersions.max;
|
|
|
ab20a9 |
+ val, dmax);
|
|
|
ab20a9 |
+ (*rval) = defaultNSSVersions.max;
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
return 0;
|
|
|
ab20a9 |
@@ -1511,10 +1520,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
|
|
|
ab20a9 |
char *tmpDir;
|
|
|
ab20a9 |
Slapi_Entry *e = NULL;
|
|
|
ab20a9 |
PRBool fipsMode = PR_FALSE;
|
|
|
ab20a9 |
- PRUint16 NSSVersionMin = enabledNSSVersions.min;
|
|
|
ab20a9 |
- PRUint16 NSSVersionMax = enabledNSSVersions.max;
|
|
|
ab20a9 |
+ PRUint16 NSSVersionMin = defaultNSSVersions.min;
|
|
|
ab20a9 |
+ PRUint16 NSSVersionMax = defaultNSSVersions.max;
|
|
|
ab20a9 |
char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
|
|
|
ab20a9 |
- char newmax[VERSION_STR_LENGTH];
|
|
|
ab20a9 |
int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
|
|
|
ab20a9 |
int_fast16_t renegotiation = (int_fast16_t)SSL_RENEGOTIATE_REQUIRES_XTN;
|
|
|
ab20a9 |
|
|
|
ab20a9 |
@@ -1875,12 +1883,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
|
|
|
ab20a9 |
if (NSSVersionMin > NSSVersionMax) {
|
|
|
ab20a9 |
(void)slapi_getSSLVersion_str(NSSVersionMin, mymin, sizeof(mymin));
|
|
|
ab20a9 |
(void)slapi_getSSLVersion_str(NSSVersionMax, mymax, sizeof(mymax));
|
|
|
ab20a9 |
- slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\".",
|
|
|
ab20a9 |
+ slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\". Adjusting the max to match the miniumum.",
|
|
|
ab20a9 |
mymin, mymax);
|
|
|
ab20a9 |
- (void)slapi_getSSLVersion_str(enabledNSSVersions.max, newmax, sizeof(newmax));
|
|
|
ab20a9 |
- slapd_SSL_warn("Reset the max \"%s\" to supported max \"%s\".",
|
|
|
ab20a9 |
- mymax, newmax);
|
|
|
ab20a9 |
- NSSVersionMax = enabledNSSVersions.max;
|
|
|
ab20a9 |
+ NSSVersionMax = NSSVersionMin;
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
|
|
|
ab20a9 |
@@ -1896,7 +1901,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
|
|
|
ab20a9 |
if (sslStatus != SECSuccess) {
|
|
|
ab20a9 |
errorCode = PR_GetError();
|
|
|
ab20a9 |
slapd_SSL_error("Security Initialization - "
|
|
|
ab20a9 |
- "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)\n",
|
|
|
ab20a9 |
+ "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)",
|
|
|
ab20a9 |
mymin, mymax, errorCode, slapd_pr_strerror(errorCode));
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
/*
|
|
|
ab20a9 |
@@ -1926,13 +1931,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
|
|
|
ab20a9 |
(void)slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
|
|
|
ab20a9 |
(void)slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
|
|
|
ab20a9 |
slapd_SSL_error("Security Initialization - "
|
|
|
ab20a9 |
- "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)\n",
|
|
|
ab20a9 |
+ "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)",
|
|
|
ab20a9 |
mymin, mymax, errorCode, slapd_pr_strerror(errorCode));
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
errorCode = PR_GetError();
|
|
|
ab20a9 |
slapd_SSL_error("Security Initialization - ",
|
|
|
ab20a9 |
- "slapd_ssl_init2 - Failed to get SSL range from socket - error %d (%s)\n",
|
|
|
ab20a9 |
+ "slapd_ssl_init2 - Failed to get SSL range from socket - error %d (%s)",
|
|
|
ab20a9 |
errorCode, slapd_pr_strerror(errorCode));
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
|
|
|
ab20a9 |
@@ -2265,7 +2270,7 @@ slapd_SSL_client_auth(LDAP *ld)
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
} else {
|
|
|
ab20a9 |
if (token == NULL) {
|
|
|
ab20a9 |
- slapd_SSL_warn("slapd_SSL_client_auth - certificate token was not found\n");
|
|
|
ab20a9 |
+ slapd_SSL_warn("slapd_SSL_client_auth - certificate token was not found");
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
rc = -1;
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
diff --git a/src/lib389/lib389/dirsrv_log.py b/src/lib389/lib389/dirsrv_log.py
|
|
|
ab20a9 |
index 7bed4bb17..ab8872051 100644
|
|
|
ab20a9 |
--- a/src/lib389/lib389/dirsrv_log.py
|
|
|
ab20a9 |
+++ b/src/lib389/lib389/dirsrv_log.py
|
|
|
ab20a9 |
@@ -207,7 +207,7 @@ class DirsrvAccessLog(DirsrvLog):
|
|
|
ab20a9 |
return {
|
|
|
ab20a9 |
'base': quoted_vals[0],
|
|
|
ab20a9 |
'filter': quoted_vals[1],
|
|
|
ab20a9 |
- 'timestamp': re.findall('\[(.*)\]', lines[0])[0],
|
|
|
ab20a9 |
+ 'timestamp': re.findall('[(.*)]', lines[0])[0],
|
|
|
ab20a9 |
'scope': lines[0].split(' scope=', 1)[1].split(' ',1)[0]
|
|
|
ab20a9 |
}
|
|
|
ab20a9 |
|
|
|
ab20a9 |
--
|
|
|
ab20a9 |
2.26.2
|
|
|
ab20a9 |
|