From e7c71a8c3a361fa7cbf96a0c57723c74d044922a Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Mon, 10 Nov 2014 13:51:34 -0800 Subject: [PATCH 27/28] Ticket #47945 - Add SSL/TLS version info to the access log Description: Added the currently used SSL library version info per connection to the access log. Sample output: SSL [..] conn=3 fd=64 slot=64 SSL connection from ::1 to ::1 [..] conn=3 TLS1.2 128-bit AES-GCM startTLS [..] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [..] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [..] conn=4 TLS1.2 128-bit AES-GCM To convert the SSL version number to string (e.g., SSL_LIBRARY_VERSION_ TLS_1_2 --> "TLS1.2"), instead of maintaining a mapping table, this patch calculates the number and generates the version string. https://fedorahosted.org/389/ticket/47945 Reviewed and adviced by rmeggins@redhat.com (Thanks a lot, Rich!!) (cherry picked from commit a2e0de3aa90f04593427628afeb7fe090dac93fb) (cherry picked from commit 0d1087d0c4dc9b6af3a01776ae11e0977c447fb7) --- ldap/servers/slapd/auth.c | 85 +++++++++------- ldap/servers/slapd/slapi-private.h | 19 ++++ ldap/servers/slapd/ssl.c | 194 ++++++++++++++++++++----------------- 3 files changed, 174 insertions(+), 124 deletions(-) diff --git a/ldap/servers/slapd/auth.c b/ldap/servers/slapd/auth.c index 5b7dc31..0219576 100644 --- a/ldap/servers/slapd/auth.c +++ b/ldap/servers/slapd/auth.c @@ -430,9 +430,10 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData) int keySize = 0; char* cipher = NULL; char* extraErrorMsg = ""; - SSLChannelInfo channelInfo; - SSLCipherSuiteInfo cipherInfo; - char* subject = NULL; + SSLChannelInfo channelInfo; + SSLCipherSuiteInfo cipherInfo; + char* subject = NULL; + char sslversion[64]; if ( (slapd_ssl_getChannelInfo (prfd, &channelInfo, sizeof(channelInfo))) != SECSuccess ) { PRErrorCode errorCode = PR_GetError(); @@ -460,38 +461,48 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData) * to be enough, close the SSL connection. */ if ( conn->c_flags & CONN_FLAG_START_TLS ) { if ( cipherInfo.symKeyBits == 0 ) { - start_tls_graceful_closure( conn, NULL, 1 ); - goto done; - } + start_tls_graceful_closure( conn, NULL, 1 ); + goto done; + } } if (config_get_SSLclientAuth() == SLAPD_SSLCLIENTAUTH_OFF ) { - slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n", - (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL" ); - goto done; - } + (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion)); + slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n", + (long long unsigned int)conn->c_connid, + sslversion, keySize, cipher ? cipher : "NULL" ); + goto done; + } if (clientCert == NULL) { - slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n", - (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL" ); + (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion)); + slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n", + (long long unsigned int)conn->c_connid, + sslversion, keySize, cipher ? cipher : "NULL" ); } else { - subject = subject_of (clientCert); - if (!subject) { - slapi_log_access( LDAP_DEBUG_STATS, - "conn=%" NSPRIu64 " SSL %i-bit %s; missing subject\n", - (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL"); - goto done; - } - { - char* issuer = issuer_of (clientCert); - char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ]; - slapi_log_access( LDAP_DEBUG_STATS, - "conn=%" NSPRIu64 " SSL %i-bit %s; client %s; issuer %s\n", - (long long unsigned int)conn->c_connid, keySize, cipher ? cipher : "NULL", - subject ? escape_string( subject, sbuf ) : "NULL", - issuer ? escape_string( issuer, ibuf ) : "NULL"); - if (issuer) free (issuer); - } - slapi_dn_normalize (subject); + subject = subject_of (clientCert); + if (!subject) { + (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, + sslversion, sizeof(sslversion)); + slapi_log_access( LDAP_DEBUG_STATS, + "conn=%" NSPRIu64 " %s %i-bit %s; missing subject\n", + (long long unsigned int)conn->c_connid, + sslversion, keySize, cipher ? cipher : "NULL"); + goto done; + } + { + char* issuer = issuer_of (clientCert); + char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ]; + (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, + sslversion, sizeof(sslversion)); + slapi_log_access( LDAP_DEBUG_STATS, + "conn=%" NSPRIu64 " %s %i-bit %s; client %s; issuer %s\n", + (long long unsigned int)conn->c_connid, + sslversion, keySize, cipher ? cipher : "NULL", + subject ? escape_string( subject, sbuf ) : "NULL", + issuer ? escape_string( issuer, ibuf ) : "NULL"); + if (issuer) free (issuer); + } + slapi_dn_normalize (subject); { LDAPMessage* chain = NULL; char *basedn = config_get_basedn(); @@ -525,14 +536,20 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData) sdn = slapi_sdn_new_dn_passin(clientDN); clientDN = slapi_ch_strdup(slapi_sdn_get_dn(sdn)); slapi_sdn_free(&sdn); + (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, + sslversion, sizeof(sslversion)); slapi_log_access (LDAP_DEBUG_STATS, - "conn=%" NSPRIu64 " SSL client bound as %s\n", - (long long unsigned int)conn->c_connid, clientDN); + "conn=%" NSPRIu64 " %s client bound as %s\n", + (long long unsigned int)conn->c_connid, + sslversion, clientDN); } else if (clientCert != NULL) { + (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, + sslversion, sizeof(sslversion)); slapi_log_access (LDAP_DEBUG_STATS, - "conn=%" NSPRIu64 " SSL failed to map client " + "conn=%" NSPRIu64 " %s failed to map client " "certificate to LDAP DN (%s)\n", - (long long unsigned int)conn->c_connid, extraErrorMsg ); + (long long unsigned int)conn->c_connid, + sslversion, extraErrorMsg); } /* diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h index a8d7738..921c397 100644 --- a/ldap/servers/slapd/slapi-private.h +++ b/ldap/servers/slapd/slapi-private.h @@ -1336,6 +1336,25 @@ void add_internal_modifiersname(Slapi_PBlock *pb, Slapi_Entry *e); /* ldaputil.c */ char *ldaputil_get_saslpath(); +/* ssl.c */ +/* + * If non NULL buf and positive bufsize is given, + * the memory is used to store the version string. + * Otherwise, the memory for the string is allocated. + * The latter case, caller is responsible to free it. + */ +/* vnum is supposed to be in one of the following: + * nss3/sslproto.h + * #define SSL_LIBRARY_VERSION_2 0x0002 + * #define SSL_LIBRARY_VERSION_3_0 0x0300 + * #define SSL_LIBRARY_VERSION_TLS_1_0 0x0301 + * #define SSL_LIBRARY_VERSION_TLS_1_1 0x0302 + * #define SSL_LIBRARY_VERSION_TLS_1_2 0x0303 + * #define SSL_LIBRARY_VERSION_TLS_1_3 0x0304 + * ... + */ +char *slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize); + #ifdef __cplusplus } #endif diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index f81d1fb..5d6919a 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -99,7 +99,6 @@ extern symbol_t supported_ciphers[]; #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ static SSLVersionRange enabledNSSVersions; static SSLVersionRange slapdNSSVersions; -static char *getNSSVersion_str(PRUint16 vnum); #endif /* dongle_file_name is set in slapd_nss_init when we set the path for the @@ -246,6 +245,9 @@ static lookup_cipher _lookup_cipher[] = { {NULL, NULL} }; +/* E.g., "SSL3", "TLS1.2", "Unknown SSL version: 0x0" */ +#define VERSION_STR_LENGTH 64 + /* Supported SSL versions */ /* nsSSL2: on -- we don't allow this any more. */ PRBool enableSSL2 = PR_FALSE; @@ -418,8 +420,8 @@ getSSLVersionRange(char **min, char **max) #if defined(NSS_TLS10) return -1; /* not supported */ #else /* NSS_TLS11 or newer */ - *min = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.min)); - *max = slapi_ch_strdup(getNSSVersion_str(slapdNSSVersions.max)); + *min = slapi_getSSLVersion_str(slapdNSSVersions.min, NULL, 0); + *max = slapi_getSSLVersion_str(slapdNSSVersions.max, NULL, 0); return 0; #endif } @@ -854,34 +856,48 @@ warn_if_no_key_file(const char *dir, int no_log) } #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ -typedef struct _nss_version_list { - PRUint16 vnum; - char* vname; -} NSSVersion_list; -NSSVersion_list _NSSVersion_list[] = -{ - {SSL_LIBRARY_VERSION_2, "SSL2"}, - {SSL_LIBRARY_VERSION_3_0, "SSL3"}, - {SSL_LIBRARY_VERSION_TLS_1_0, "TLS1.0"}, - {SSL_LIBRARY_VERSION_TLS_1_1, "TLS1.1"}, -#if defined(NSS_TLS12) - {SSL_LIBRARY_VERSION_TLS_1_2, "TLS1.2"}, -#endif - {0, "unknown"} -}; - -static char * -getNSSVersion_str(PRUint16 vnum) +/* + * If non NULL buf and positive bufsize is given, + * the memory is used to store the version string. + * Otherwise, the memory for the string is allocated. + * The latter case, caller is responsible to free it. + */ +char * +slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize) { - NSSVersion_list *nvlp = NULL; - char *vstr = "none"; - if (vnum) { - for (nvlp = _NSSVersion_list; nvlp && nvlp->vnum; nvlp++) { - if (nvlp->vnum == vnum) { - vstr = nvlp->vname; - break; + char *vstr = buf; + if (vnum >= SSL_LIBRARY_VERSION_3_0) { + if (vnum == SSL_LIBRARY_VERSION_3_0) { /* SSL3 */ + if (buf && bufsize) { + PR_snprintf(buf, bufsize, "SSL3"); + } else { + vstr = slapi_ch_smprintf("SSL3"); + } + } else { /* TLS v X.Y */ + const char *TLSFMT = "TLS%d.%d"; + int minor_offset = 0; /* e.g. 0x0401 -> TLS v 2.1, not 2.0 */ + + if ((vnum & SSL_LIBRARY_VERSION_3_0) == SSL_LIBRARY_VERSION_3_0) { + minor_offset = 1; /* e.g. 0x0301 -> TLS v 1.0, not 1.1 */ + } + if (buf && bufsize) { + PR_snprintf(buf, bufsize, TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset); + } else { + vstr = slapi_ch_smprintf(TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset); } } + } else if (vnum == SSL_LIBRARY_VERSION_2) { /* SSL2 */ + if (buf && bufsize) { + PR_snprintf(buf, bufsize, "SSL2"); + } else { + vstr = slapi_ch_smprintf("SSL2"); + } + } else { + if (buf && bufsize) { + PR_snprintf(buf, bufsize, "Unknown SSL version: 0x%x", vnum); + } else { + vstr = slapi_ch_smprintf("Unknown SSL version: 0x%x", vnum); + } } return vstr; } @@ -895,12 +911,16 @@ getNSSVersion_str(PRUint16 vnum) static void restrict_SSLVersionRange(void) { + char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH]; + char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH]; + (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin)); + (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax)); + (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax)); + (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin)); if (slapdNSSVersions.min > slapdNSSVersions.max) { slapd_SSL_warn("Invalid configured SSL range: min: %s, max: %s; " "Resetting the max to the supported max SSL version: %s.", - getNSSVersion_str(slapdNSSVersions.min), - getNSSVersion_str(slapdNSSVersions.max), - getNSSVersion_str(enabledNSSVersions.max)); + mymin, mymax, emax); slapdNSSVersions.max = enabledNSSVersions.max; } if (enableSSL3) { @@ -911,17 +931,14 @@ restrict_SSLVersionRange(void) slapd_SSL_warn("Configured range: min: %s, max: %s; " "but both nsSSL3 and nsTLS1 are on. " "Respect the supported range.", - getNSSVersion_str(slapdNSSVersions.min), - getNSSVersion_str(slapdNSSVersions.max)); + mymin, mymax); enableSSL3 = PR_FALSE; } if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) { slapd_SSL_warn("Configured range: min: %s, max: %s; " "but both nsSSL3 and nsTLS1 are on. " "Resetting the max to the supported max SSL version: %s.", - getNSSVersion_str(slapdNSSVersions.min), - getNSSVersion_str(slapdNSSVersions.max), - getNSSVersion_str(enabledNSSVersions.max)); + mymin, mymax, emax); slapdNSSVersions.max = enabledNSSVersions.max; } } else { @@ -930,8 +947,7 @@ restrict_SSLVersionRange(void) slapd_SSL_warn("Supported range: min: %s, max: %s; " "but nsSSL3 is on and nsTLS1 is off. " "Respect the supported range.", - getNSSVersion_str(enabledNSSVersions.min), - getNSSVersion_str(enabledNSSVersions.max)); + emin, emax); slapdNSSVersions.min = SSLVGreater(slapdNSSVersions.min, enabledNSSVersions.min); enableSSL3 = PR_FALSE; enableTLS1 = PR_TRUE; @@ -939,19 +955,13 @@ restrict_SSLVersionRange(void) slapd_SSL_warn("Configured range: min: %s, max: %s; " "but nsSSL3 is on and nsTLS1 is off. " "Respect the configured range.", - getNSSVersion_str(slapdNSSVersions.min), - getNSSVersion_str(slapdNSSVersions.max)); + mymin, mymax); enableSSL3 = PR_FALSE; enableTLS1 = PR_TRUE; } else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) { slapd_SSL_warn("Too low configured range: min: %s, max: %s; " - "Resetting the range to: min: %s, max: %s.", - getNSSVersion_str(slapdNSSVersions.min), - getNSSVersion_str(slapdNSSVersions.max), - getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0), - getNSSVersion_str(SSL_LIBRARY_VERSION_TLS_1_0)); - slapdNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_0; - slapdNSSVersions.max = SSL_LIBRARY_VERSION_TLS_1_0; + "We strongly recommend to set sslVersionMax higher than %s.", + mymin, mymax, emax); } else { /* * slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 && @@ -960,8 +970,7 @@ restrict_SSLVersionRange(void) slapd_SSL_warn("Configured range: min: %s, max: %s; " "but nsSSL3 is on and nsTLS1 is off. " "Respect the configured range.", - getNSSVersion_str(slapdNSSVersions.min), - getNSSVersion_str(slapdNSSVersions.max)); + mymin, mymax); enableTLS1 = PR_TRUE; } } @@ -971,8 +980,7 @@ restrict_SSLVersionRange(void) /* TLS1 is on, but TLS1 is not supported by NSS. */ slapd_SSL_warn("Supported range: min: %s, max: %s; " "Setting the version range based upon the supported range.", - getNSSVersion_str(enabledNSSVersions.min), - getNSSVersion_str(enabledNSSVersions.max)); + emin, emax); slapdNSSVersions.max = enabledNSSVersions.max; slapdNSSVersions.min = enabledNSSVersions.min; enableSSL3 = PR_TRUE; @@ -983,8 +991,7 @@ restrict_SSLVersionRange(void) slapdNSSVersions.min = SSLVGreater(SSL_LIBRARY_VERSION_TLS_1_1, enabledNSSVersions.min); slapd_SSL_warn("Default SSL Version settings; " "Configuring the version range as min: %s, max: %s; ", - getNSSVersion_str(slapdNSSVersions.min), - getNSSVersion_str(slapdNSSVersions.max)); + mymin, mymax); } else { /* * slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_1 && @@ -995,8 +1002,7 @@ restrict_SSLVersionRange(void) } else { slapd_SSL_warn("Supported range: min: %s, max: %s; " "Respect the configured range.", - getNSSVersion_str(enabledNSSVersions.min), - getNSSVersion_str(enabledNSSVersions.max)); + emin, emax); /* nsTLS1 is explicitly set to off. */ if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) { enableTLS1 = PR_TRUE; @@ -1040,13 +1046,15 @@ slapd_nss_init(int init_ssl, int config_available) char *keydb_file_name = NULL; char *secmoddb_file_name = NULL; #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ + char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH]; /* Get the range of the supported SSL version */ SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions); + (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin)); + (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax)); slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization", "supported range by NSS: min: %s, max: %s\n", - getNSSVersion_str(enabledNSSVersions.min), - getNSSVersion_str(enabledNSSVersions.max)); + emin, emax); #endif /* set in slapd_bootstrap_config, @@ -1351,34 +1359,37 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) { char *vp, *endp; int vnum; + char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH]; if (NULL == rval) { return 1; } + (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin)); + (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax)); if (!strncasecmp(val, SSLSTR, SSLLEN)) { /* ssl# */ vp = val + SSLLEN; vnum = strtol(vp, &endp, 10); if (2 == vnum) { if (ismin) { if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_2) { - slapd_SSL_warn("Security Initialization: The value of sslVersionMin " - "\"%s\" is lower than the supported version; " - "the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.min)); - (*rval) = enabledNSSVersions.min; + slapd_SSL_warn("Security Initialization: The value of sslVersionMin " + "\"%s\" is lower than the supported version; " + "the default value \"%s\" is used.", + val, emin); + (*rval) = enabledNSSVersions.min; } else { - (*rval) = SSL_LIBRARY_VERSION_2; + (*rval) = SSL_LIBRARY_VERSION_2; } } else { if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_2) { /* never happens */ slapd_SSL_warn("Security Initialization: The value of sslVersionMax " - "\"%s\" is higher than the supported version; " - "the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.max)); - (*rval) = enabledNSSVersions.max; + "\"%s\" is higher than the supported version; " + "the default value \"%s\" is used.", + val, emax); + (*rval) = enabledNSSVersions.max; } else { - (*rval) = SSL_LIBRARY_VERSION_2; + (*rval) = SSL_LIBRARY_VERSION_2; } } } else if (3 == vnum) { @@ -1387,7 +1398,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) slapd_SSL_warn("Security Initialization: The value of sslVersionMin " "\"%s\" is lower than the supported version; " "the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.min)); + val, emin); (*rval) = enabledNSSVersions.min; } else { (*rval) = SSL_LIBRARY_VERSION_3_0; @@ -1398,7 +1409,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) slapd_SSL_warn("Security Initialization: The value of sslVersionMax " "\"%s\" is higher than the supported version; " "the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.max)); + val, emax); (*rval) = enabledNSSVersions.max; } else { (*rval) = SSL_LIBRARY_VERSION_3_0; @@ -1408,12 +1419,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) if (ismin) { slapd_SSL_warn("Security Initialization: The value of sslVersionMin " "\"%s\" is invalid; the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.min)); + val, emin); (*rval) = enabledNSSVersions.min; } else { slapd_SSL_warn("Security Initialization: The value of sslVersionMax " "\"%s\" is invalid; the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.max)); + val, emax); (*rval) = enabledNSSVersions.max; } } @@ -1427,7 +1438,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) slapd_SSL_warn("Security Initialization: The value of sslVersionMin " "\"%s\" is lower than the supported version; " "the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.min)); + val, emin); (*rval) = enabledNSSVersions.min; } else { (*rval) = SSL_LIBRARY_VERSION_TLS_1_0; @@ -1438,7 +1449,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) slapd_SSL_warn("Security Initialization: The value of sslVersionMax " "\"%s\" is higher than the supported version; " "the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.max)); + val, emax); (*rval) = enabledNSSVersions.max; } else { (*rval) = SSL_LIBRARY_VERSION_TLS_1_0; @@ -1450,7 +1461,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) slapd_SSL_warn("Security Initialization: The value of sslVersionMin " "\"%s\" is lower than the supported version; " "the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.min)); + val, emin); (*rval) = enabledNSSVersions.min; } else { (*rval) = SSL_LIBRARY_VERSION_TLS_1_1; @@ -1461,7 +1472,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) slapd_SSL_warn("Security Initialization: The value of sslVersionMax " "\"%s\" is higher than the supported version; " "the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.max)); + val, emax); (*rval) = enabledNSSVersions.max; } else { (*rval) = SSL_LIBRARY_VERSION_TLS_1_1; @@ -1474,7 +1485,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) slapd_SSL_warn("Security Initialization: The value of sslVersionMin " "\"%s\" is lower than the supported version; " "the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.min)); + val, emin); (*rval) = enabledNSSVersions.min; } else { (*rval) = SSL_LIBRARY_VERSION_TLS_1_2; @@ -1485,7 +1496,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) slapd_SSL_warn("Security Initialization: The value of sslVersionMax " "\"%s\" is higher than the supported version; " "the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.max)); + val, emax); (*rval) = enabledNSSVersions.max; } else { (*rval) = SSL_LIBRARY_VERSION_TLS_1_2; @@ -1497,13 +1508,13 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) slapd_SSL_warn("Security Initialization: The value of sslVersionMin " "\"%s\" is out of the range of the supported version; " "the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.min)); + val, emin); (*rval) = enabledNSSVersions.min; } else { slapd_SSL_warn("Security Initialization: The value of sslVersionMax " "\"%s\" is out of the range of the supported version; " "the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.min)); + val, emax); (*rval) = enabledNSSVersions.max; } } @@ -1511,12 +1522,12 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) if (ismin) { slapd_SSL_warn("Security Initialization: The value of sslVersionMin " "\"%s\" is invalid; the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.min)); + val, emin); (*rval) = enabledNSSVersions.min; } else { slapd_SSL_warn("Security Initialization: The value of sslVersionMax " "\"%s\" is invalid; the default value \"%s\" is used.", - val, getNSSVersion_str(enabledNSSVersions.min)); + val, emax); (*rval) = enabledNSSVersions.max; } } @@ -1549,6 +1560,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ PRUint16 NSSVersionMin = enabledNSSVersions.min; PRUint16 NSSVersionMax = enabledNSSVersions.max; + char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH]; + char newmax[VERSION_STR_LENGTH]; #endif char cipher_string[1024]; int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER; @@ -1909,12 +1922,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) } slapi_ch_free_string( &val ); if (NSSVersionMin > NSSVersionMax) { + (void) slapi_getSSLVersion_str(NSSVersionMin, mymin, sizeof(mymin)); + (void) slapi_getSSLVersion_str(NSSVersionMax, mymax, sizeof(mymax)); slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\".", - getNSSVersion_str(NSSVersionMin), - getNSSVersion_str(NSSVersionMax)); + mymin, mymax); + (void) slapi_getSSLVersion_str(enabledNSSVersions.max, newmax, sizeof(newmax)); slapd_SSL_warn("Reset the max \"%s\" to supported max \"%s\".", - getNSSVersion_str(NSSVersionMax), - getNSSVersion_str(enabledNSSVersions.max)); + mymax, newmax); NSSVersionMax = enabledNSSVersions.max; } #endif @@ -1925,18 +1939,18 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) slapdNSSVersions.min = NSSVersionMin; slapdNSSVersions.max = NSSVersionMax; restrict_SSLVersionRange(); + (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin)); + (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax)); slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization", "Configured SSL version range: min: %s, max: %s\n", - getNSSVersion_str(slapdNSSVersions.min), - getNSSVersion_str(slapdNSSVersions.max)); + mymin, mymax); sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions); if (sslStatus == SECSuccess) { /* Set the restricted value to the cn=encryption entry */ } else { slapd_SSL_error("SSL Initialization 2: " "Failed to set SSL range: min: %s, max: %s\n", - getNSSVersion_str(slapdNSSVersions.min), - getNSSVersion_str(slapdNSSVersions.max)); + mymin, mymax); } } else { #endif -- 1.9.3