commit ce06a829733c3f351c57de1b79fdc0be061f6754
Author: Frank Ch. Eigler <fche@redhat.com>
Date: Wed Nov 6 08:28:37 2013 -0500
PCP NSS support: use "domestic" rather than "export" cipher suite
Modern versions of NSS are starting to disable the obsolete and
puny-security "export" suite of ciphers. We certainly shouldn't
limit ourselves to them.
diff --git a/src/libpcp/src/secureconnect.c b/src/libpcp/src/secureconnect.c
index 4b6803c..c2bb279 100644
--- a/src/libpcp/src/secureconnect.c
+++ b/src/libpcp/src/secureconnect.c
@@ -400,10 +400,12 @@ __pmInitCertificates(void)
PK11_FreeSlot(slot);
}
- secsts = NSS_SetExportPolicy();
- if (secsts != SECSuccess)
- return __pmSecureSocketsError(PR_GetError());
-
+ /* Some NSS versions don't do this correctly in NSS_SetDomesticPolicy. */
+ do {
+ const PRUint16 *cipher;
+ for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher)
+ SSL_CipherPolicySet(*cipher, SSL_ALLOWED);
+ } while (0);
SSL_ClearSessionCache();
return 0;
diff --git a/src/libpcp/src/secureserver.c b/src/libpcp/src/secureserver.c
index 856df81..c248202 100644
--- a/src/libpcp/src/secureserver.c
+++ b/src/libpcp/src/secureserver.c
@@ -279,12 +279,12 @@ __pmSecureServerSetup(const char *db, const char *passwd)
goto done;
}
- secsts = NSS_SetExportPolicy();
- if (secsts != SECSuccess) {
- __pmNotifyErr(LOG_ERR, "Unable to set NSS export policy: %s",
- pmErrStr(__pmSecureSocketsError(PR_GetError())));
- goto done;
- }
+ /* Some NSS versions don't do this correctly in NSS_SetDomesticPolicy. */
+ do {
+ const PRUint16 *cipher;
+ for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher)
+ SSL_CipherPolicySet(*cipher, SSL_ALLOWED);
+ } while (0);
/* Configure SSL session cache for multi-process server, using defaults */
secsts = SSL_ConfigMPServerSIDCache(0, 0, 0, NULL);