From 413ac674d497a981b30bdc81b47ea2bb3e14ad57 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu, 11 Jun 2015 22:25:14 -0700
Subject: [PATCH] Ticket #48194 - nsSSL3Ciphers preference not enforced server
side
Description: The fix for ticket 47838 accidentally changed the timing
of setting default cipher preferences and creating a sslSocket which
broke setting the default preferences to each sslSocket.
https://fedorahosted.org/389/ticket/48194
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit 53c9c4e84e3bcbc40de87b1e7cf7634d14599e1c)
(cherry picked from commit 99109e38ca671951c50724018fce71e2e362f0ff)
---
ldap/servers/slapd/ssl.c | 97 +++++++++++++++++++++++++-----------------------
1 file changed, 50 insertions(+), 47 deletions(-)
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 6b51e0c..36a4788 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1342,9 +1342,6 @@ slapd_ssl_init()
freeConfigEntry( &entry );
}
- /* ugaston- Cipher preferences must be set before any sslSocket is created
- * for such sockets to take preferences into account.
- */
freeConfigEntry( &entry );
/* Introduce a way of knowing whether slapd_ssl_init has
@@ -1590,6 +1587,45 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
errorbuf[0] = '\0';
+ /*
+ * Cipher preferences must be set before any sslSocket is created
+ * for such sockets to take preferences into account.
+ */
+ getConfigEntry(configDN, &e);
+ if (e == NULL) {
+ slapd_SSL_warn("Security Initialization: Failed get config entry %s", configDN);
+ return 1;
+ }
+ val = slapi_entry_attr_get_charptr(e, "allowWeakCipher");
+ if (val) {
+ if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
+ !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
+ allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
+ } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") ||
+ !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
+ allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
+ } else {
+ slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.",
+ "Ignoring it and set it to default.", val, configDN);
+ }
+ }
+ slapi_ch_free((void **) &val);
+
+ /* Set SSL cipher preferences */
+ *cipher_string = 0;
+ if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank"))
+ PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
+ slapi_ch_free((void **) &ciphers);
+
+ if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
+ "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ val, errorCode, slapd_pr_strerror(errorCode));
+ slapi_ch_free((void **) &val);
+ }
+ freeConfigEntry(&e);
+
/* Import pr fd into SSL */
pr_sock = SSL_ImportFD( NULL, sock );
if( pr_sock == (PRFileDesc *)NULL ) {
@@ -1632,8 +1668,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
slapd_pk11_setSlotPWValues(slot, 0, 0);
}
-
-
/*
* Now, get the complete list of cipher families. Each family
* has a token name and personality name which we'll use to find
@@ -1816,9 +1850,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
"out of disk space! Make more room in /tmp "
"and try again. (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
errorCode, slapd_pr_strerror(errorCode));
- }
- else {
- slapd_SSL_error("Config of server nonce cache failed (error %d - %s)",
+ } else {
+ slapd_SSL_error("Config of server nonce cache failed (error %d - %s)",
errorCode, slapd_pr_strerror(errorCode));
}
return rv;
@@ -1985,36 +2018,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
}
#endif
- val = slapi_entry_attr_get_charptr(e, "allowWeakCipher");
- if (val) {
- if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
- !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
- allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
- } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") ||
- !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
- allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
- } else {
- slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.",
- "Ignoring it and set it to default.", val, configDN);
- }
- }
- slapi_ch_free((void **) &val);
-
- /* Set SSL cipher preferences */
- *cipher_string = 0;
- if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank"))
- PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
- slapi_ch_free((void **) &ciphers);
-
- if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
- "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- val, errorCode, slapd_pr_strerror(errorCode));
- rv = 3;
- slapi_ch_free((void **) &val);
- }
-
freeConfigEntry( &e );
if(( slapd_SSLclientAuth = config_get_SSLclientAuth()) != SLAPD_SSLCLIENTAUTH_OFF ) {
@@ -2059,17 +2062,17 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
/* richm 20020227
To do LDAP client SSL init, we need to do
- static void
- ldapssl_basic_init( void )
- {
- PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
+ static void
+ ldapssl_basic_init( void )
+ {
+ PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
- PR_SetConcurrency( 4 );
- }
+ PR_SetConcurrency( 4 );
+ }
NSS_Init(certdbpath);
SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE);
- SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
- s = NSS_SetDomesticPolicy();
+ SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
+ s = NSS_SetDomesticPolicy();
We already do pr_init, we don't need pr_setconcurrency, we already do nss_init and the rest
*/
@@ -2095,7 +2098,7 @@ slapd_SSL_client_auth (LDAP* ld)
char **family;
char *personality = NULL;
char *activation = NULL;
- char *cipher = NULL;
+ char *cipher = NULL;
for (family = family_list; *family; family++) {
getConfigEntry( *family, &entry );
--
1.9.3