diff --git a/.gitignore b/.gitignore
index 7639ffb..6d6680b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
-SOURCES/openldap-2.4.39.tgz
+SOURCES/openldap-2.4.40.tgz
diff --git a/.openldap.metadata b/.openldap.metadata
index 5df585c..e394c8f 100644
--- a/.openldap.metadata
+++ b/.openldap.metadata
@@ -1,2 +1,2 @@
444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
-2b8e8401214867c361f7212e7058f95118b5bd6c SOURCES/openldap-2.4.39.tgz
+0cfac3b024b99de2e2456cc7254481b6644e0b96 SOURCES/openldap-2.4.40.tgz
diff --git a/SOURCES/check-password-makefile.patch b/SOURCES/check-password-makefile.patch
new file mode 100644
index 0000000..f39ba81
--- /dev/null
+++ b/SOURCES/check-password-makefile.patch
@@ -0,0 +1,41 @@
+--- a/Makefile 2009-10-31 18:59:06.000000000 +0100
++++ b/Makefile 2014-12-17 09:42:37.586079225 +0100
+@@ -13,22 +13,11 @@
+ #
+ CONFIG=/etc/openldap/check_password.conf
+
+-OPT=-g -O2 -Wall -fpic \
+- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
+- -DCONFIG_FILE="\"$(CONFIG)\"" \
++CFLAGS+=-fpic \
++ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
++ -DCONFIG_FILE="\"$(CONFIG)\"" \
+ -DDEBUG
+
+-# Where to find the OpenLDAP headers.
+-#
+-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
+- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
+-
+-# Where to find the CrackLib headers.
+-#
+-CRACK_INC=
+-
+-INCS=$(LDAP_INC) $(CRACK_INC)
+-
+ LDAP_LIB=-lldap_r -llber
+
+ # Comment out this line if you do NOT want to use the cracklib.
+@@ -45,10 +34,10 @@
+ all: check_password
+
+ check_password.o:
+- $(CC) $(OPT) -c $(INCS) check_password.c
++ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
+
+ check_password: clean check_password.o
+- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
++ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+
+ install: check_password
+ cp -f check_password.so ../../../usr/lib/openldap/modules/
diff --git a/SOURCES/check-password.patch b/SOURCES/check-password.patch
new file mode 100644
index 0000000..7a79e95
--- /dev/null
+++ b/SOURCES/check-password.patch
@@ -0,0 +1,321 @@
+--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100
++++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100
+@@ -10,7 +10,7 @@
+ #include <slap.h>
+
+ #ifdef HAVE_CRACKLIB
+-#include "crack.h"
++#include <crack.h>
+ #endif
+
+ #if defined(DEBUG)
+@@ -34,18 +34,77 @@
+ #define PASSWORD_TOO_SHORT_SZ \
+ "Password for dn=\"%s\" is too short (%d/6)"
+ #define PASSWORD_QUALITY_SZ \
+- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
++ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
+ #define BAD_PASSWORD_SZ \
+ "Bad password for dn=\"%s\" because %s"
++#define UNKNOWN_ERROR_SZ \
++ "An unknown error occurred, please see your systems administrator"
+
+ typedef int (*validator) (char*);
+-static int read_config_file (char *);
++static int read_config_file ();
+ static validator valid_word (char *);
+ static int set_quality (char *);
+ static int set_cracklib (char *);
+
+ int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+
++struct config_entry {
++ char* key;
++ char* value;
++ char* def_value;
++} config_entries[] = { { "minPoints", NULL, "3"},
++ { "useCracklib", NULL, "1"},
++ { "minUpper", NULL, "0"},
++ { "minLower", NULL, "0"},
++ { "minDigit", NULL, "0"},
++ { "minPunct", NULL, "0"},
++ { NULL, NULL, NULL }};
++
++int get_config_entry_int(char* entry) {
++ struct config_entry* centry = config_entries;
++
++ int i = 0;
++ char* key = centry[i].key;
++ while (key != NULL) {
++ if ( strncmp(key, entry, strlen(key)) == 0 ) {
++ if ( centry[i].value == NULL ) {
++ return atoi(centry[i].def_value);
++ }
++ else {
++ return atoi(centry[i].value);
++ }
++ }
++ i++;
++ key = centry[i].key;
++ }
++
++ return -1;
++}
++
++void dealloc_config_entries() {
++ struct config_entry* centry = config_entries;
++
++ int i = 0;
++ while (centry[i].key != NULL) {
++ if ( centry[i].value != NULL ) {
++ ber_memfree(centry[i].value);
++ }
++ i++;
++ }
++}
++
++char* chomp(char *s)
++{
++ char* t = ber_memalloc(strlen(s)+1);
++ strncpy (t,s,strlen(s)+1);
++
++ if ( t[strlen(t)-1] == '\n' ) {
++ t[strlen(t)-1] = '\0';
++ }
++
++ return t;
++}
++
+ static int set_quality (char *value)
+ {
+ #if defined(DEBUG)
+@@ -84,12 +143,12 @@
+ char * parameter;
+ validator dealer;
+ } list[] = { { "minPoints", set_quality },
+- { "useCracklib", set_cracklib },
+- { "minUpper", set_digit },
+- { "minLower", set_digit },
+- { "minDigit", set_digit },
+- { "minPunct", set_digit },
+- { NULL, NULL } };
++ { "useCracklib", set_cracklib },
++ { "minUpper", set_digit },
++ { "minLower", set_digit },
++ { "minDigit", set_digit },
++ { "minPunct", set_digit },
++ { NULL, NULL } };
+ int index = 0;
+
+ #if defined(DEBUG)
+@@ -98,7 +157,7 @@
+
+ while (list[index].parameter != NULL) {
+ if (strlen(word) == strlen(list[index].parameter) &&
+- strcmp(list[index].parameter, word) == 0) {
++ strcmp(list[index].parameter, word) == 0) {
+ #if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Parameter accepted.");
+ #endif
+@@ -114,13 +173,15 @@
+ return NULL;
+ }
+
+-static int read_config_file (char *keyWord)
++static int read_config_file ()
+ {
+ FILE * config;
+ char * line;
+ int returnValue = -1;
+
+- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
++ line = ber_memcalloc(260, sizeof(char));
++
++ if ( line == NULL ) {
+ return returnValue;
+ }
+
+@@ -133,6 +194,8 @@
+ return returnValue;
+ }
+
++ returnValue = 0;
++
+ while (fgets(line, 256, config) != NULL) {
+ char *start = line;
+ char *word, *value;
+@@ -145,23 +208,40 @@
+
+ while (isspace(*start) && isascii(*start)) start++;
+
+- if (! isascii(*start))
++ /* If we've got punctuation, just skip the line. */
++ if ( ispunct(*start)) {
++#if defined(DEBUG)
++ /* Debug traces to syslog. */
++ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
++#endif
+ continue;
++ }
+
+- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
+- if ((value = strtok(NULL, " \t")) == NULL)
+- continue;
++ if( isascii(*start)) {
++
++ struct config_entry* centry = config_entries;
++ int i = 0;
++ char* keyWord = centry[i].key;
++ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
++ while ( keyWord != NULL ) {
++ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
+
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
++ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ #endif
+
+- returnValue = (*dealer)(value);
++ centry[i].value = chomp(value);
++ break;
++ }
++ i++;
++ keyWord = centry[i].key;
++ }
++ }
+ }
+ }
+-
+ fclose(config);
+ ber_memfree(line);
++
+ return returnValue;
+ }
+
+@@ -170,7 +250,7 @@
+ if (curlen < nextlen + MEMORY_MARGIN) {
+ #if defined(DEBUG)
+ syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
+- curlen, nextlen + MEMORY_MARGIN);
++ curlen, nextlen + MEMORY_MARGIN);
+ #endif
+ ber_memfree(*target);
+ curlen = nextlen + MEMORY_MARGIN;
+@@ -180,7 +260,7 @@
+ return curlen;
+ }
+
+- int
++int
+ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+ {
+
+@@ -210,20 +290,22 @@
+ nLen = strlen (pPasswd);
+ if ( nLen < 6) {
+ mem_len = realloc_error_message(&szErrStr, mem_len,
+- strlen(PASSWORD_TOO_SHORT_SZ) +
+- strlen(pEntry->e_name.bv_val) + 1);
++ strlen(PASSWORD_TOO_SHORT_SZ) +
++ strlen(pEntry->e_name.bv_val) + 1);
+ sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
+ goto fail;
+ }
+
+- /* Read config file */
+- minQuality = read_config_file("minPoints");
++ if (read_config_file() == -1) {
++ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
++ }
+
+- useCracklib = read_config_file("useCracklib");
+- minUpper = read_config_file("minUpper");
+- minLower = read_config_file("minLower");
+- minDigit = read_config_file("minDigit");
+- minPunct = read_config_file("minPunct");
++ minQuality = get_config_entry_int("minPoints");
++ useCracklib = get_config_entry_int("useCracklib");
++ minUpper = get_config_entry_int("minUpper");
++ minLower = get_config_entry_int("minLower");
++ minDigit = get_config_entry_int("minDigit");
++ minPunct = get_config_entry_int("minPunct");
+
+ /** The password must have at least minQuality strength points with one
+ * point for the first occurrance of a lower, upper, digit and
+@@ -232,8 +314,6 @@
+
+ for ( i = 0; i < nLen; i++ ) {
+
+- if ( nQuality >= minQuality ) break;
+-
+ if ( islower (pPasswd[i]) ) {
+ minLower--;
+ if ( !nLower && (minLower < 1)) {
+@@ -279,12 +359,23 @@
+ }
+ }
+
+- if ( nQuality < minQuality ) {
++ /*
++ * If you have a required field, then it should be required in the strength
++ * checks.
++ */
++
++ if (
++ (minLower > 0 ) ||
++ (minUpper > 0 ) ||
++ (minDigit > 0 ) ||
++ (minPunct > 0 ) ||
++ (nQuality < minQuality)
++ ) {
+ mem_len = realloc_error_message(&szErrStr, mem_len,
+- strlen(PASSWORD_QUALITY_SZ) +
+- strlen(pEntry->e_name.bv_val) + 2);
++ strlen(PASSWORD_QUALITY_SZ) +
++ strlen(pEntry->e_name.bv_val) + 2);
+ sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
+- nQuality, minQuality);
++ nQuality, minQuality);
+ goto fail;
+ }
+
+@@ -306,7 +397,7 @@
+ for ( j = 0; j < 3; j++ ) {
+
+ snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
+- CRACKLIB_DICTPATH, ext[j]);
++ CRACKLIB_DICTPATH, ext[j]);
+
+ if (( fp = fopen ( filename, "r")) == NULL ) {
+
+@@ -326,9 +417,9 @@
+ r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
+ if ( r != NULL ) {
+ mem_len = realloc_error_message(&szErrStr, mem_len,
+- strlen(BAD_PASSWORD_SZ) +
+- strlen(pEntry->e_name.bv_val) +
+- strlen(r));
++ strlen(BAD_PASSWORD_SZ) +
++ strlen(pEntry->e_name.bv_val) +
++ strlen(r));
+ sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
+ goto fail;
+ }
+@@ -342,15 +433,15 @@
+ }
+
+ #endif
+-
++ dealloc_config_entries();
+ *ppErrStr = strdup ("");
+ ber_memfree(szErrStr);
+ return (LDAP_SUCCESS);
+
+ fail:
++ dealloc_config_entries();
+ *ppErrStr = strdup (szErrStr);
+ ber_memfree(szErrStr);
+ return (EXIT_FAILURE);
+
+ }
+-
diff --git a/SOURCES/openldap-dns-priority.patch b/SOURCES/openldap-dns-priority.patch
deleted file mode 100644
index 8dc0923..0000000
--- a/SOURCES/openldap-dns-priority.patch
+++ /dev/null
@@ -1,192 +0,0 @@
-Implement priority/weight for DNS SRV records
-
-From RFC 2782:
-
- A client MUST attempt to contact the target host with the
- lowest-numbered priority it can reach.
-
-This patch sorts the DNS SRV records by their priority, and
-additionally gives records with a larger weight a higher probability
-of appearing earlier. This way, the DNS SRV records are tried in the
-order of their priority.
-
-Author: James M Leddy <james.leddy@redhat.com>
-Upstream ITS: #7027
-Resolves: #733078
-
----
- libraries/libldap/dnssrv.c | 106 ++++++++++++++++++++++++++++++++++----------
- 1 files changed, 83 insertions(+), 23 deletions(-)
-
-diff --git a/libraries/libldap/dnssrv.c b/libraries/libldap/dnssrv.c
-index 16b1544..40f93b4 100644
---- a/libraries/libldap/dnssrv.c
-+++ b/libraries/libldap/dnssrv.c
-@@ -174,6 +174,46 @@ int ldap_domain2dn(
- return LDAP_SUCCESS;
- }
-
-+#ifdef HAVE_RES_QUERY
-+#define DNSBUFSIZ (64*1024)
-+typedef struct srv_record {
-+ u_short priority;
-+ u_short weight;
-+ u_short port;
-+ char hostname[DNSBUFSIZ];
-+} srv_record;
-+
-+
-+static int srv_cmp(const void *aa, const void *bb){
-+ srv_record *a=(srv_record *)aa;
-+ srv_record *b=(srv_record *)bb;
-+ u_long total;
-+
-+ if(a->priority < b->priority) {
-+ return -1;
-+ }
-+ if(a->priority > b->priority) {
-+ return 1;
-+ }
-+ if(a->priority == b->priority){
-+ /* targets with same priority are in psudeo random order */
-+ if (a->weight == 0 && b->weight == 0) {
-+ if (rand() % 2) {
-+ return -1;
-+ } else {
-+ return 1;
-+ }
-+ }
-+ total = a->weight + b->weight;
-+ if (rand() % total < a->weight) {
-+ return -1;
-+ } else {
-+ return 1;
-+ }
-+ }
-+}
-+#endif /* HAVE_RES_QUERY */
-+
- /*
- * Lookup and return LDAP servers for domain (using the DNS
- * SRV record _ldap._tcp.domain).
-@@ -183,15 +223,16 @@ int ldap_domain2hostlist(
- char **list )
- {
- #ifdef HAVE_RES_QUERY
--#define DNSBUFSIZ (64*1024)
-- char *request;
-- char *hostlist = NULL;
-+ char *request;
-+ char *hostlist = NULL;
-+ srv_record *hostent_head=NULL;
-+ int i;
- int rc, len, cur = 0;
- unsigned char reply[DNSBUFSIZ];
-+ int hostent_count=0;
-
- assert( domain != NULL );
- assert( list != NULL );
--
- if( *domain == '\0' ) {
- return LDAP_PARAM_ERROR;
- }
-@@ -223,8 +264,7 @@ int ldap_domain2hostlist(
- unsigned char *p;
- char host[DNSBUFSIZ];
- int status;
-- u_short port;
-- /* int priority, weight; */
-+ u_short port, priority, weight;
-
- /* Parse out query */
- p = reply;
-@@ -263,40 +303,56 @@ int ldap_domain2hostlist(
- size = (p[0] << 8) | p[1];
- p += 2;
- if (type == T_SRV) {
-- int buflen;
- status = dn_expand(reply, reply + len, p + 6, host, sizeof(host));
- if (status < 0) {
- goto out;
- }
-- /* ignore priority and weight for now */
-- /* priority = (p[0] << 8) | p[1]; */
-- /* weight = (p[2] << 8) | p[3]; */
-+
-+ /* Get priority weight and port */
-+ priority = (p[0] << 8) | p[1];
-+ weight = (p[2] << 8) | p[3];
- port = (p[4] << 8) | p[5];
-
- if ( port == 0 || host[ 0 ] == '\0' ) {
- goto add_size;
- }
-
-- buflen = strlen(host) + STRLENOF(":65355 ");
-- hostlist = (char *) LDAP_REALLOC(hostlist, cur + buflen + 1);
-- if (hostlist == NULL) {
-- rc = LDAP_NO_MEMORY;
-- goto out;
-+ hostent_head = (srv_record *) LDAP_REALLOC(hostent_head, (hostent_count+1)*(sizeof(srv_record)));
-+ if(hostent_head==NULL){
-+ rc=LDAP_NO_MEMORY;
-+ goto out;
-+
- }
-- if (cur > 0) {
-- /* not first time around */
-- hostlist[cur++] = ' ';
-- }
-- cur += sprintf(&hostlist[cur], "%s:%hu", host, port);
-+ hostent_head[hostent_count].priority=priority;
-+ hostent_head[hostent_count].weight=weight;
-+ hostent_head[hostent_count].port=port;
-+ strncpy(hostent_head[hostent_count].hostname, host,255);
-+ hostent_count=hostent_count+1;
- }
- add_size:;
- p += size;
- }
- }
-+ qsort(hostent_head, hostent_count, sizeof(srv_record), srv_cmp);
-+
-+ for(i=0; i<hostent_count; i++){
-+ int buflen;
-+ buflen = strlen(hostent_head[i].hostname) + STRLENOF(":65355" );
-+ hostlist = (char *) LDAP_REALLOC(hostlist, cur+buflen+1);
-+ if (hostlist == NULL) {
-+ rc = LDAP_NO_MEMORY;
-+ goto out;
-+ }
-+ if(cur>0){
-+ hostlist[cur++]=' ';
-+ }
-+ cur += sprintf(&hostlist[cur], "%s:%hd", hostent_head[i].hostname, hostent_head[i].port);
-+ }
-+
- if (hostlist == NULL) {
-- /* No LDAP servers found in DNS. */
-- rc = LDAP_UNAVAILABLE;
-- goto out;
-+ /* No LDAP servers found in DNS. */
-+ rc = LDAP_UNAVAILABLE;
-+ goto out;
- }
-
- rc = LDAP_SUCCESS;
-@@ -308,8 +364,12 @@ add_size:;
- if (request != NULL) {
- LDAP_FREE(request);
- }
-+ if (hostent_head != NULL) {
-+ LDAP_FREE(hostent_head);
-+ }
- if (rc != LDAP_SUCCESS && hostlist != NULL) {
- LDAP_FREE(hostlist);
-+
- }
- return rc;
- #else
---
-1.7.6
-
diff --git a/SOURCES/openldap-fix-missing-frontend-indexing.patch b/SOURCES/openldap-fix-missing-frontend-indexing.patch
new file mode 100644
index 0000000..d2e8d4e
--- /dev/null
+++ b/SOURCES/openldap-fix-missing-frontend-indexing.patch
@@ -0,0 +1,11 @@
+--- a/servers/slapd/bconfig.c 2015-06-02 14:37:10.930873419 +0200
++++ b/servers/slapd/bconfig.c 2015-06-02 14:37:35.105233408 +0200
+@@ -4679,7 +4679,7 @@
+ if ( ce_type == Cft_Database )
+ nsibs--;
+
+- if ( index != nsibs ) {
++ if ( index != nsibs || isfrontend) {
+ if ( gotindex ) {
+ if ( index < nsibs ) {
+ if ( tailindex ) return LDAP_NAMING_VIOLATION;
diff --git a/SOURCES/openldap-nss-ciphers-use-nss-defaults.patch b/SOURCES/openldap-nss-ciphers-use-nss-defaults.patch
new file mode 100644
index 0000000..896dd75
--- /dev/null
+++ b/SOURCES/openldap-nss-ciphers-use-nss-defaults.patch
@@ -0,0 +1,26 @@
+Use what NSS considers default for DEFAULT cipher string.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1245279
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -645,7 +645,16 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ }
+ } else if (!strcmp(cipher, "DEFAULT")) {
+ for (i=0; i<ciphernum; i++) {
+- cipher_list[i] = ciphers_def[i].enabled == SSL_ALLOWED ? 1 : 0;
++ PRBool enabled;
++ if (SSL_CipherPrefGetDefault(ciphers_def[i].num, &enabled) == SECSuccess) {
++ if (!(ciphers_def[i].attr & SSL_eNULL)) {
++ cipher_list[i] = enabled == SSL_ALLOWED ? 1 : 0;
++ } else {
++ cipher_list[i] = -1;
++ }
++ } else {
++ cipher_list[i] = -1;
++ }
+ }
+ } else {
+ int mask = 0;
diff --git a/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch b/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch
new file mode 100644
index 0000000..247085c
--- /dev/null
+++ b/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch
@@ -0,0 +1,236 @@
+fix: openldap ciphersuite parsing code handles masks incorrectly
+
+Author: Matus Honek <mhonek@redhat.com>
+Original-Author: Martin Poole <mpoole@redhat.com>
+Resolves: #1231522
+Related: #1238322
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -215,7 +215,6 @@ typedef struct {
+ /* cipher attributes */
+ #define SSL_kRSA 0x00000001L
+ #define SSL_aRSA 0x00000002L
+-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
+ #define SSL_aDSA 0x00000004L
+ #define SSL_DSA SSL_aDSA
+ #define SSL_eNULL 0x00000008L
+@@ -225,19 +224,26 @@ typedef struct {
+ #define SSL_RC2 0x00000080L
+ #define SSL_AES128 0x00000100L
+ #define SSL_AES256 0x00000200L
+-#define SSL_AES (SSL_AES128|SSL_AES256)
+ #define SSL_MD5 0x00000400L
+ #define SSL_SHA1 0x00000800L
+ #define SSL_kEDH 0x00001000L
+ #define SSL_CAMELLIA128 0x00002000L
+ #define SSL_CAMELLIA256 0x00004000L
+-#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
+ #define SSL_SEED 0x00008000L
+ #define SSL_kECDH 0x00010000L
+ #define SSL_kECDHE 0x00020000L
+ #define SSL_aECDSA 0x00040000L
+ #define SSL_SHA256 0x00080000L
+ #define SSL_SHA384 0x00100000L
++#define SSL_kEECDH 0x00200000L
++#define SSL_AESGCM 0x00400000L
++#define SSL_AEAD 0x00800000L
++
++/* cipher attributes non-unique - do not use for definitions */
++#define SSL_RSA 0x00000001L
++#define SSL_AES 0x00000002L
++#define SSL_CAMELLIA 0x00000004L
++#define SSL_ECDH 0x00000008L
+
+ /* cipher strength */
+ #define SSL_NULL 0x00000001L
+@@ -247,6 +253,9 @@ typedef struct {
+ #define SSL_MEDIUM 0x00000010L
+ #define SSL_HIGH 0x00000020L
+
++/* cipher strengths non-unique - do not use for definitions */
++#define SSL_EXPORT 0x00000001L
++
+ #define SSL2 0x00000001L
+ #define SSL3 0x00000002L
+ /* OpenSSL treats SSL3 and TLSv1 the same */
+@@ -609,10 +618,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ while ((*cipher) && (isspace(*cipher)))
+ ++cipher;
+
+- action = 1;
+ switch(*cipher) {
+- case '+': /* Add something */
+- action = 1;
++ case '+': /* Do nothig. NSS does not support ordering. */
++ Debug( LDAP_DEBUG_ARGS,
++ "TLS: warning: parsing cipher string: ordering is not supported by NSS.\n",
++ 0, 0, 0 );
++ action = 2;
+ cipher++;
+ break;
+ case '-': /* Subtract something */
+@@ -623,8 +634,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ action = -1;
+ cipher++;
+ break;
+- default:
+- /* do nothing */
++ default: /* Add something */
++ action = 1;
+ break;
+ }
+
+@@ -654,7 +665,9 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ }
+ } else {
+ int mask = 0;
++ int multi_mask = 0;
+ int strength = 0;
++ int multi_strength = 0;
+ int protocol = 0;
+ char *c;
+
+@@ -665,16 +678,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ *c++ = '\0';
+ }
+
+- if (!strcmp(cipher, "RSA")) {
+- mask |= SSL_RSA;
++ if ((!strcmp(cipher, "RSA")) || (!strcmp(cipher, "kRSA"))) {
++ mask |= SSL_kRSA;
++ } if (!strcmp(cipher, "aRSA")) {
++ if (!(mask & SSL_kECDH)) //kECDH means no aRSA
++ mask |= SSL_aRSA;
++ else if (mask & SSL_kECDHE) //kECDH and aRSA means kECDHE
++ mask |= SSL_kECDHE|SSL_aRSA;
+ } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
+ mask |= SSL_eNULL;
+ } else if (!strcmp(cipher, "AES128")) {
+ mask |= SSL_AES128;
+ } else if (!strcmp(cipher, "AES256")) {
+ mask |= SSL_AES256;
++ } else if (!strcmp(cipher, "AESGCM")) {
++ mask |= SSL_AESGCM;
+ } else if (!strcmp(cipher, "AES")) {
+- mask |= SSL_AES;
++ multi_mask |= SSL_AES;
+ } else if (!strcmp(cipher, "3DES")) {
+ mask |= SSL_3DES;
+ } else if (!strcmp(cipher, "DES")) {
+@@ -685,27 +705,42 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ mask |= SSL_RC2;
+ } else if (!strcmp(cipher, "MD5")) {
+ mask |= SSL_MD5;
+- } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
+- mask |= SSL_SHA1;
+ } else if (!strcmp(cipher, "SHA256")) {
+ mask |= SSL_SHA256;
++ } else if (!strcmp(cipher, "SHA384")) {
++ mask |= SSL_SHA384;
++ } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
++ mask |= SSL_SHA1;
+ } else if (!strcmp(cipher, "EDH")) {
+ mask |= SSL_kEDH;
+- } else if (!strcmp(cipher, "DSS")) {
++ } else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) {
+ mask |= SSL_aDSA;
+ } else if (!strcmp(cipher, "CAMELLIA128")) {
+ mask |= SSL_CAMELLIA128;
+ } else if (!strcmp(cipher, "CAMELLIA256")) {
+ mask |= SSL_CAMELLIA256;
+ } else if (!strcmp(cipher, "CAMELLIA")) {
+- mask |= SSL_CAMELLIA;
++ multi_mask |= SSL_CAMELLIA;
+ } else if (!strcmp(cipher, "SEED")) {
+ mask |= SSL_SEED;
+- } else if (!strcmp(cipher, "ECDH")) {
++ } else if (!strcmp(cipher, "kECDHe")) {
++ mask |= SSL_kECDH|SSL_aECDSA;
++ } else if (!strcmp(cipher, "kECDHr")) {
++ mask |= SSL_kECDH|SSL_aRSA;
++ } else if (!strcmp(cipher, "kECDH")) {
++ if (!(mask & SSL_aRSA)) //kECDH does not use aRSA
++ mask |= SSL_kECDH;
++ } else if (!strcmp(cipher, "aECDH")) {
+ mask |= SSL_kECDH;
++ } else if (!strcmp(cipher, "EECDH")) {
++ mask |= SSL_kECDHE;
++ } else if (!strcmp(cipher, "kEECDH")) {
++ mask |= SSL_kECDHE;
+ } else if (!strcmp(cipher, "ECDHE")) {
+ mask |= SSL_kECDHE;
+- } else if (!strcmp(cipher, "ECDSA")) {
++ } else if (!strcmp(cipher, "ECDH")) {
++ multi_mask |= SSL_ECDH;
++ } else if ((!strcmp(cipher, "ECDSA")) || (!strcmp(cipher, "aECDSA"))) {
+ mask |= SSL_aECDSA;
+ } else if (!strcmp(cipher, "SSLv2")) {
+ protocol |= SSL2;
+@@ -721,12 +756,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ strength |= SSL_MEDIUM;
+ } else if (!strcmp(cipher, "LOW")) {
+ strength |= SSL_LOW;
+- } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) {
+- strength |= SSL_EXPORT40|SSL_EXPORT56;
+ } else if (!strcmp(cipher, "EXPORT40")) {
+ strength |= SSL_EXPORT40;
+ } else if (!strcmp(cipher, "EXPORT56")) {
+ strength |= SSL_EXPORT56;
++ } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) {
++ multi_strength |= SSL_EXPORT;
+ }
+
+ if (c)
+@@ -734,23 +769,37 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+
+ } /* while */
+
++ /* NSS does not support ordering */
++ if (action == 2)
++ continue;
++
+ /* If we have a mask, apply it. If not then perhaps they provided
+ * a specific cipher to enable.
++ * if more than one mask is provided then AND logic applies (to match openssl)
+ */
+- if (mask || strength || protocol) {
++ if (mask || multi_mask || strength || multi_strength || protocol) {
+ for (i=0; i<ciphernum; i++) {
+- if (((ciphers_def[i].attr & mask) ||
+- (ciphers_def[i].strength & strength) ||
+- (ciphers_def[i].version & protocol)) &&
+- (cipher_list[i] != -1)) {
+- /* Enable the NULL ciphers only if explicity
+- * requested */
+- if (ciphers_def[i].attr & SSL_eNULL) {
+- if (mask & SSL_eNULL)
+- cipher_list[i] = action;
+- } else
+- cipher_list[i] = action;
+- }
++ if ( cipher_list[i] == -1 )
++ continue;
++ if ( mask != (ciphers_def[i].attr & mask) )
++ continue;
++ if ( strength != (ciphers_def[i].strength & strength) )
++ continue;
++ if ( protocol != (ciphers_def[i].version & protocol) )
++ continue;
++ if ((multi_mask & SSL_AES) &&
++ !(ciphers_def[i].attr & (SSL_AES128|SSL_AES256|SSL_AESGCM)))
++ continue;
++ if ((multi_mask & SSL_ECDH) &&
++ !(ciphers_def[i].attr & (SSL_kECDH|SSL_kECDHE)))
++ continue;
++ if ((multi_mask & SSL_CAMELLIA) &&
++ !(ciphers_def[i].attr & (SSL_CAMELLIA128|SSL_CAMELLIA256)))
++ continue;
++ if ((multi_strength & SSL_EXPORT) &&
++ !(ciphers_def[i].strength & (SSL_EXPORT40|SSL_EXPORT56)))
++ continue;
++ cipher_list[i] = action;
+ }
+ } else {
+ for (i=0; i<ciphernum; i++) {
diff --git a/SOURCES/openldap-nss-unregister-on-unload.patch b/SOURCES/openldap-nss-unregister-on-unload.patch
new file mode 100644
index 0000000..d815fc2
--- /dev/null
+++ b/SOURCES/openldap-nss-unregister-on-unload.patch
@@ -0,0 +1,39 @@
+fix: OpenLDAP crash in NSS shutdown handling
+
+Resolves: #1158005
+Related: #1231228 #1249977
+Author: Jan Synacek <jsynacek@redhat.com>
+Modified-By: Matus Honek <mhonek@redhat.com>
+
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -473,7 +473,7 @@ static void openldap_ldap_init_w_env(
+ * Sorry, don't know how to handle this for non-GCC environments.
+ */
+ static void ldap_int_destroy_global_options(void)
+- __attribute__ ((destructor));
++ __attribute__ ((destructor (2)));
+ #endif
+
+ static void
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -1931,6 +1931,18 @@ tlsm_clientauth_init( tlsm_ctx *ctx )
+ return ( status == SECSuccess ? 0 : -1 );
+ }
+
++#if defined(__GNUC__)
++static void
++tlsm_destroy_on_unload(void) __attribute__ ((destructor (1)));
++
++static void
++tlsm_destroy_on_unload(void)
++{
++ if (NSS_IsInitialized())
++ NSS_UnregisterShutdown(tlsm_nss_shutdown_cb, NULL);
++}
++#endif
++
+ /*
+ * Tear down the TLS subsystem. Should only be called once.
+ */
diff --git a/SOURCES/openldap-nss-update-list-of-ciphers.patch b/SOURCES/openldap-nss-update-list-of-ciphers.patch
index d5986c0..7b8510c 100644
--- a/SOURCES/openldap-nss-update-list-of-ciphers.patch
+++ b/SOURCES/openldap-nss-update-list-of-ciphers.patch
@@ -1,15 +1,30 @@
-MozNSS: update list of supported cipher suites
+This patch updates MozNSS cipher suite definition in OpenLDAP.
-The updated list includes all ciphers implemented in Mozilla NSS 3.13.15
+Author: Matus Honek <mhonek@redhat.com>
+Related: #1245279
+Combined two previous patches into one:
+Author: Martin Poole <mpoole@redhat.com>
Author: Jan Vcelak <jvcelak@redhat.com>
+Related: #1231522 #1160467
Upstream ITS: #7374
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
-index 1422ce2..5e49fc5 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
-@@ -211,27 +211,34 @@ typedef struct {
+@@ -76,6 +76,11 @@
+ #define HAVE_SECMOD_RESTARTMODULES 1
+ #endif
+
++/* NSS 3.20.0 and later have SHA384 ciphers */
++#if NSS_VERSION_INT >= 0x03140000
++#define HAVE_SHA384_CIPHERS 1
++#endif
++
+ /* InitContext does not currently work in server mode */
+ /* #define INITCONTEXT_HACK 1 */
+
+@@ -203,27 +208,36 @@ typedef struct {
int num; /* The cipher id */
int attr; /* cipher attributes: algorithms, etc */
int version; /* protocol version valid for this cipher */
@@ -57,10 +72,16 @@ index 1422ce2..5e49fc5 100644
+#define SSL_kECDH 0x00010000L
+#define SSL_kECDHE 0x00020000L
+#define SSL_aECDSA 0x00040000L
++#define SSL_SHA256 0x00080000L
++#define SSL_SHA384 0x00100000L
/* cipher strength */
#define SSL_NULL 0x00000001L
-@@ -248,29 +255,70 @@ typedef struct {
+@@ -237,32 +251,117 @@ typedef struct {
+ #define SSL3 0x00000002L
+ /* OpenSSL treats SSL3 and TLSv1 the same */
+ #define TLS1 SSL3
++#define TLS1_2 0x00000004L
/* Cipher translation */
static cipher_properties ciphers_def[] = {
@@ -87,72 +108,115 @@ index 1422ce2..5e49fc5 100644
+ */
+
+ /* SSLv2 ciphers */
-+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW, SSL_NOT_ALLOWED},
-+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH, SSL_NOT_ALLOWED},
-+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED},
-+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED},
-+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
-+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
++ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW},
++ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH},
++ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM},
++ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM},
++ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40},
++ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40},
+
+ /* SSLv3 ciphers */
-+ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL, SSL_NOT_ALLOWED},
-+ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL, SSL_NOT_ALLOWED},
-+ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
-+ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
-+ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM, SSL_ALLOWED},
-+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM, SSL_ALLOWED},
-+ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED},
-+ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED},
-+ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
-+ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
-+ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
-+ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
++ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL},
++ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL},
++ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW},
++ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH},
++ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM},
++ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM},
++ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40},
++ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40},
++ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW},
++ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH},
++ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW},
++ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH},
/* TLSv1 ciphers */
- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
-+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED},
-+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED},
-+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
-+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
-+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
-+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
-+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
-+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
-+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
-+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
-+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
-+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
-+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
-+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56},
++ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56},
++ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM},
++ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
++ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
++ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
++ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
++ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
++ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
++ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
++ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
++ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
++ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
++ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
++ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
++ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
++ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
++ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
++ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
++ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
++ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
++ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
++ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
++ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
++ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
++ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
++ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
++ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
++ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
++ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
++ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
++ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
++ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
++ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
++ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
++ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
++
++/* conditional on one of the newer defs */
++#ifdef TLS_RSA_WITH_AES_128_GCM_SHA256
++ /* TLSv1.2 ciphers */
++ /* The following ciphers appear in the openssl sources as TLSv1.2 but currently have no NSS equivalent
++
++ DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
++ ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
++ ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
++ ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
++ ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
++ ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
++ ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
++ ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
++ ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
++
++ */
++ {"NULL-SHA256", TLS_RSA_WITH_NULL_SHA256, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA256, TLS1_2, SSL_NULL},
++ {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
++ {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
++ {"AES128-GCM-SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
++ {"AES256-GCM-SHA384", TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
++
++ {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
++ {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
++ {"DHE-RSA-AES128-GCM-SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
++ {"DHE-RSA-AES256-GCM-SHA384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
++
++ {"DHE-DSS-AES128-SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
++ {"DHE-DSS-AES256-SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
++ {"DHE-DSS-AES128-GCM-SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
++ //{"DHE-DSS-AES128-GCM-SHA384", TLS_DHE_DSS_WITH_AES_128_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
++
++ {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
++ {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
++ {"ECDHE-ECDSA-AES128-GCM-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
++ {"ECDHE-RSA-AES128-GCM-SHA256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
++ {"ECDHE-ECDSA-AES256-GCM-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
++ {"ECDHE-RSA-AES256-GCM-SHA384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
++ {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
++ {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
++#endif
++
};
#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
-@@ -577,6 +625,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -574,6 +673,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_RSA;
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
mask |= SSL_eNULL;
@@ -163,10 +227,12 @@ index 1422ce2..5e49fc5 100644
} else if (!strcmp(cipher, "AES")) {
mask |= SSL_AES;
} else if (!strcmp(cipher, "3DES")) {
-@@ -591,6 +643,24 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -588,12 +691,34 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_MD5;
} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
mask |= SSL_SHA1;
++ } else if (!strcmp(cipher, "SHA256")) {
++ mask |= SSL_SHA256;
+ } else if (!strcmp(cipher, "EDH")) {
+ mask |= SSL_kEDH;
+ } else if (!strcmp(cipher, "DSS")) {
@@ -188,6 +254,11 @@ index 1422ce2..5e49fc5 100644
} else if (!strcmp(cipher, "SSLv2")) {
protocol |= SSL2;
} else if (!strcmp(cipher, "SSLv3")) {
---
-1.7.11.4
-
+ protocol |= SSL3;
+ } else if (!strcmp(cipher, "TLSv1")) {
+ protocol |= TLS1;
++ } else if (!strcmp(cipher, "TLSv1.2")) {
++ protocol |= TLS1_2;
+ } else if (!strcmp(cipher, "HIGH")) {
+ strength |= SSL_HIGH;
+ } else if (!strcmp(cipher, "MEDIUM")) {
diff --git a/SOURCES/openldap-olcfrontend-config.patch b/SOURCES/openldap-olcfrontend-config.patch
deleted file mode 100644
index d7b81a6..0000000
--- a/SOURCES/openldap-olcfrontend-config.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 6c0d57405831fdf51e778505000af3466a42af90 Mon Sep 17 00:00:00 2001
-From: Jan Synacek <jsynacek@redhat.com>
-Date: Mon, 8 Sep 2014 13:32:04 +0200
-Subject: [PATCH] fix frontend config
-
----
- servers/slapd/slapd.ldif | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/servers/slapd/slapd.ldif b/servers/slapd/slapd.ldif
-index 6c7c43c..18549d8 100644
---- a/servers/slapd/slapd.ldif
-+++ b/servers/slapd/slapd.ldif
-@@ -47,6 +47,7 @@ include: file://%SYSCONFDIR%/schema/core.ldif
- #
- dn: olcDatabase=frontend,cn=config
- objectClass: olcDatabaseConfig
-+objectClass: olcFrontendConfig
- olcDatabase: frontend
- #
- # Sample global access control policy:
---
-1.9.3
-
diff --git a/SOURCES/openldap-perl-fix-moduleconfig-config.patch b/SOURCES/openldap-perl-fix-moduleconfig-config.patch
new file mode 100644
index 0000000..8103487
--- /dev/null
+++ b/SOURCES/openldap-perl-fix-moduleconfig-config.patch
@@ -0,0 +1,24 @@
+fix: slaptest doesn't convert perlModuleConfig lines
+
+Resolves: #1184585
+Upstream: ITS #8105
+Author: Jan Synacek <jsynacek@redhat.com>
+
+diff --git a/servers/slapd/back-perl/config.c b/servers/slapd/back-perl/config.c
+index fd00965..d1c7886 100644
+--- a/servers/slapd/back-perl/config.c
++++ b/servers/slapd/back-perl/config.c
+@@ -219,9 +219,11 @@ perl_cf(
+ XPUSHs( pb->pb_obj_ref );
+
+ /* Put all arguments on the perl stack */
+- for( args = 1; args < c->argc; args++ ) {
++ for( args = 1; args < c->argc; args++ )
+ XPUSHs(sv_2mortal(newSVpv(c->argv[args], 0)));
+- }
++
++ ber_str2bv( c->line + STRLENOF("perlModuleConfig "), 0, 0, &bv );
++ value_add_one( &pb->pb_module_config, &bv );
+
+ PUTBACK ;
+
diff --git a/SOURCES/openldap-rwm-reference-counting.patch b/SOURCES/openldap-rwm-reference-counting.patch
deleted file mode 100644
index 67f4a66..0000000
--- a/SOURCES/openldap-rwm-reference-counting.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Author: Jan Synáček <jsynacek@redhat.com>
-Resolves: #1061405
-Upstream ITS: #7723
-
-Correctly count references in rwm overlay.
-
---- a/libraries/librewrite/session.c 2010-04-13 22:23:09.000000000 +0200
-+++ b/libraries/librewrite/session.c 2013-11-08 08:47:26.000000000 +0100
-@@ -161,6 +161,7 @@
- #ifdef USE_REWRITE_LDAP_PVT_THREADS
- if ( session ) {
- ldap_pvt_thread_mutex_lock( &session->ls_mutex );
-+ session->ls_count++;
- }
- ldap_pvt_thread_rdwr_runlock( &info->li_cookies_mutex );
- #endif /* USE_REWRITE_LDAP_PVT_THREADS */
-@@ -178,6 +179,7 @@
- )
- {
- assert( session != NULL );
-+ session->ls_count--;
- ldap_pvt_thread_mutex_unlock( &session->ls_mutex );
- }
-
-
-
diff --git a/SOURCES/openldap-ssl-deadlock-revert.patch b/SOURCES/openldap-ssl-deadlock-revert.patch
new file mode 100644
index 0000000..89ebed0
--- /dev/null
+++ b/SOURCES/openldap-ssl-deadlock-revert.patch
@@ -0,0 +1,54 @@
+fix: deadlock during SSL_ForceHandshake when getting connection to replica
+
+Resolves: #1125152
+Author: Jan Synacek <jsynacek@redhat.com>
+
+--- a/libraries/libldap/tls_m.c 2015-05-25 12:28:30.326645997 +0200
++++ b/libraries/libldap/tls_m.c 2015-05-25 12:33:38.143399149 +0200
+@@ -141,7 +141,6 @@ static int tlsm_init( void );
+ */
+ static ldap_pvt_thread_mutex_t tlsm_ctx_count_mutex;
+ static ldap_pvt_thread_mutex_t tlsm_init_mutex;
+-static ldap_pvt_thread_mutex_t tlsm_pem_mutex;
+ static PRCallOnceType tlsm_init_mutex_callonce = {0,0};
+
+ static PRStatus PR_CALLBACK
+@@ -159,12 +158,6 @@ tlsm_thr_init_callonce( void )
+ return PR_FAILURE;
+ }
+
+- if ( ldap_pvt_thread_mutex_init( &tlsm_pem_mutex ) ) {
+- Debug( LDAP_DEBUG_ANY,
+- "TLS: could not create mutex for PEM module: %d\n", errno, 0, 0 );
+- return PR_FAILURE;
+- }
+-
+ return PR_SUCCESS;
+ }
+
+@@ -2037,7 +2030,6 @@ tlsm_destroy( void )
+ #ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_destroy( &tlsm_ctx_count_mutex );
+ ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex );
+- ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex );
+ #endif
+ }
+
+@@ -2672,16 +2664,9 @@ static int
+ tlsm_session_accept_or_connect( tls_session *session, int is_accept )
+ {
+ tlsm_session *s = (tlsm_session *)session;
+- int rc;
++ int rc = SSL_ForceHandshake( s );
+ const char *op = is_accept ? "accept" : "connect";
+
+- if ( pem_module ) {
+- LDAP_MUTEX_LOCK( &tlsm_pem_mutex );
+- }
+- rc = SSL_ForceHandshake( s );
+- if ( pem_module ) {
+- LDAP_MUTEX_UNLOCK( &tlsm_pem_mutex );
+- }
+ if ( rc ) {
+ PRErrorCode err = PR_GetError();
+ rc = -1;
diff --git a/SOURCES/slapd.service b/SOURCES/slapd.service
index 050ee05..4a76c2f 100644
--- a/SOURCES/slapd.service
+++ b/SOURCES/slapd.service
@@ -1,6 +1,6 @@
[Unit]
Description=OpenLDAP Server Daemon
-After=syslog.target network.target
+After=syslog.target NetworkManager-wait-online.service
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-hdb
diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec
index 34647d7..d082ecb 100644
--- a/SPECS/openldap.spec
+++ b/SPECS/openldap.spec
@@ -4,8 +4,8 @@
%global check_password_version 1.1
Name: openldap
-Version: 2.4.39
-Release: 7%{?dist}
+Version: 2.4.40
+Release: 8%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
@@ -31,7 +31,6 @@ Patch3: openldap-reentrant-gethostby.patch
Patch4: openldap-smbk5pwd-overlay.patch
Patch5: openldap-ldaprc-currentdir.patch
Patch6: openldap-userconfig-setgid.patch
-Patch7: openldap-dns-priority.patch
Patch8: openldap-syncrepl-unset-tls-options.patch
Patch9: openldap-man-sasl-nocanon.patch
Patch10: openldap-ai-addrconfig.patch
@@ -41,6 +40,8 @@ Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch
Patch14: openldap-nss-ignore-certdb-type-prefix.patch
Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch
Patch16: openldap-nss-pk11-freeslot.patch
+Patch17: openldap-nss-unregister-on-unload.patch
+Patch18: openldap-ssl-deadlock-revert.patch
# fix back_perl problems with lt_dlopen()
# might cause crashes because of symbol collisions
# the proper fix is to link all perl modules against libperl
@@ -48,16 +49,22 @@ Patch16: openldap-nss-pk11-freeslot.patch
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
# ldapi sasl fix pending upstream inclusion
Patch20: openldap-ldapi-sasl.patch
-# rwm reference counting fix, pending upstream inclusion
-Patch21: openldap-rwm-reference-counting.patch
# upstreamed, ITS #7979
Patch22: openldap-support-tlsv1-and-later.patch
-# upstreamed, ITS #7933
-Patch23: openldap-olcfrontend-config.patch
# pending upstream inclusion, ITS #7744
Patch24: openldap-man-tls-reqcert.patch
+# already in upstream, see ITS #8105, incorporated by commits 25bbf11 and fb1bf1c
+Patch25: openldap-perl-fix-moduleconfig-config.patch
+# already in upstream, see ITS#8150, incorporated by commit 39b05c7
+Patch26: openldap-fix-missing-frontend-indexing.patch
+Patch27: openldap-nss-ciphersuite-handle-masks-correctly.patch
+Patch28: openldap-nss-ciphers-use-nss-defaults.patch
# CVE-2015-6908, ITS#8240
-Patch25: openldap-ITS8240-remove-obsolete-assert.patch
+Patch29: openldap-ITS8240-remove-obsolete-assert.patch
+
+# check-password module specific patches
+Patch90: check-password-makefile.patch
+Patch91: check-password.patch
# Fedora specific patches
Patch100: openldap-autoconf-pkgconfig-nss.patch
@@ -68,7 +75,7 @@ BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel
# smbk5pwd overlay:
BuildRequires: openssl-devel
Requires: nss-tools
-Requires(post): rpm, coreutils
+Requires(post): rpm, coreutils, findutils
%description
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
@@ -163,7 +170,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch4 -p1
%patch5 -p1
%patch6 -p1
-%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
@@ -173,13 +179,17 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch14 -p1
%patch15 -p1
%patch16 -p1
+%patch17 -p1
+%patch18 -p1
%patch19 -p1
%patch20 -p1
-%patch21 -p1
%patch22 -p1
-%patch23 -p1
%patch24 -p1
%patch25 -p1
+%patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
%patch102 -p1
@@ -197,6 +207,11 @@ done
popd
+pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
+%patch90 -p1
+%patch91 -p1
+popd
+
%build
%ifarch s390 s390x
@@ -207,7 +222,7 @@ popd
export LDFLAGS="-pie"
# avoid stray dependencies (linker flag --as-needed)
# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)
-export CFLAGS="${CFLAGS} %{optflags} -Wl,--as-needed -DLDAP_CONNECTIONLESS"
+export CFLAGS="${CFLAGS} %{optflags} -Wl,-z,relro,-z,now,--as-needed -DLDAP_CONNECTIONLESS"
pushd openldap-%{version}
%configure \
@@ -272,7 +287,9 @@ popd
# install check_password module
pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
-install -m 755 check_password.so %{buildroot}%{_libdir}/openldap/
+mv check_password.so check_password.so.%{check_password_version}
+ln -s check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/check_password.so
+install -m 755 check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/
# install -m 644 README %{buildroot}%{_libdir}/openldap
install -d -m 755 %{buildroot}%{_sysconfdir}/openldap
cat > %{buildroot}%{_sysconfdir}/openldap/check_password.conf <<EOF
@@ -285,11 +302,8 @@ cat > %{buildroot}%{_sysconfdir}/openldap/check_password.conf <<EOF
#minDigit 0
#minPunct 0
EOF
-sed -i -e 's/check_password\.so/check_password.so.%{check_password_version}/' README
mv README{,.check_pwd}
popd
-# rename the library
-mv %{buildroot}%{_libdir}/openldap/check_password.so{,.%{check_password_version}}
# setup directories for TLS certificates
mkdir -p %{buildroot}%{_sysconfdir}/openldap/certs
@@ -363,19 +377,22 @@ chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
# remove files which we don't want packaged
rm -f %{buildroot}%{_libdir}/*.la
+mv %{buildroot}%{_libdir}/openldap/check_password.so{,.tmp}
rm -f %{buildroot}%{_libdir}/openldap/*.so
+mv %{buildroot}%{_libdir}/openldap/check_password.so{.tmp,}
rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
rmdir %{buildroot}%{_localstatedir}/openldap-data
%post
-
-/sbin/ldconfig
-
# create certificate database
%{_libexecdir}/openldap/create-certdb.sh >&/dev/null || :
-%postun -p /sbin/ldconfig
+%postun
+#update only on package erase
+if [ $1 == 0 ]; then
+ /sbin/ldconfig
+fi
%pre servers
@@ -400,7 +417,8 @@ exit 0
%post servers
-/sbin/ldconfig
+/sbin/ldconfig -n %{_libdir}/openldap
+
%systemd_post slapd.service
# generate sample TLS certificate for server (will not replace)
@@ -472,7 +490,7 @@ exit 0
%postun servers
-/sbin/ldconfig
+/sbin/ldconfig ${_libdir}/openldap
%systemd_postun_with_restart slapd.service
@@ -615,8 +633,45 @@ exit 0
%{_mandir}/man3/*
%changelog
-* Wed Sep 16 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.39-7
-- CVE-2015-6908 openldap: ber_get_next denial of service vulnerability (#1263173)
+* Wed Sep 23 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-8
+- NSS does not support string ordering (#1231522)
+- implement and correct order of parsing attributes (#1231522)
+- add multi_mask and multi_strength to correctly handle sets of attributes (#1231522)
+- add new cipher suites and correct AES-GCM attributes (#1245279)
+- correct DEFAULT ciphers handling to exclude eNULL cipher suites (#1245279)
+
+* Mon Sep 14 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-7
+- Merge two MozNSS cipher suite definition patches into one. (#1245279)
+- Use what NSS considers default for DEFAULT cipher string. (#1245279)
+- Remove unnecesary defaults from ciphers' definitions (#1245279)
+
+* Tue Sep 01 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-6
+- fix: OpenLDAP shared library destructor triggers memory leaks in NSPR (#1249977)
+
+* Fri Jul 24 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-5
+- enhancement: support TLS 1.1 and later (#1231522,#1160467)
+- fix: openldap ciphersuite parsing code handles masks incorrectly (#1231522)
+- fix the patch in commit da1b5c (fix: OpenLDAP crash in NSS shutdown handling) (#1231228)
+
+* Mon Jun 29 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-4
+- fix: rpm -V complains (#1230263) -- make the previous fix do what was intended
+
+* Mon Jun 22 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-3
+- fix: rpm -V complains (#1230263)
+
+* Wed Jun 3 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-2
+- fix: missing frontend database indexing (#1226600)
+
+* Wed May 20 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-1
+- new upstream release (#1147982)
+- fix: PIE and RELRO check (#1092562)
+- fix: slaptest doesn't convert perlModuleConfig lines (#1184585)
+- fix: OpenLDAP crash in NSS shutdown handling (#1158005)
+- fix: slapd.service may fail to start if binding to NIC ip (#1198781)
+- fix: deadlock during SSL_ForceHandshake when getting connection to replica (#1125152)
+- improve check_password (#1174723, #1196243)
+- provide an unversioned symlink to check_password.so.1.1 (#1174634)
+- add findutils to requires (#1209229)
* Thu Dec 4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-6
- refix: slapd.ldif olcFrontend missing important/required objectclass (#1132094)