[389-commits] Branch 'refs/tags/389-ds-base-1.3.3.2' - 6 commits - dirsrvtests/tickets ldap/schema ldap/servers VERSION.sh
Nathan Kinder
nkinder at fedoraproject.org
Fri Sep 12 18:59:40 UTC 2014
Rebased ref, commits from common ancestor:
commit 2ea6c3a1e926965503798c866c5c3200940ae0a8
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Thu Sep 11 14:57:25 2014 -0700
bump version to 1.3.3.2
diff --git a/VERSION.sh b/VERSION.sh
index 4a3ec3e..e23167e 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=3
-VERSION_MAINT=3.1
+VERSION_MAINT=3.2
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 0363fa49265c0c27d510064cea361eb400802548
Author: Thierry bordaz (tbordaz) <tbordaz at redhat.com>
Date: Thu Sep 11 09:47:29 2014 +0200
Ticket 47889 - DS crashed during ipa-server-install on test_ava_filter
Bug Description:
During a MOD the target entry is duplicated and mods are applied
on the duplicated entry that is set in the pblock (SLAPI_MODIFY_EXISTING_ENTRY).
In case of transient DB error, ldbm_back_modify retries.
But when retrying the duplicated entry will be freed and needs to be duplicated again.
The new duplicated entry needs to be set in the pblock.
https://fedorahosted.org/389/ticket/47834 erronously skip the setting of SLAPI_MODIFY_EXISTING_ENTRY
Fix Description:
Set SLAPI_MODIFY_EXISTING_ENTRY during mod/retry
https://fedorahosted.org/389/ticket/47889
Reviewed by: ?
Platforms tested: F20
Flag Day: no
Doc impact: no
(cherry picked from commit 3b5f3fa1b82cde2bda1104cf758acb64f6484009)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index 254ef29..529bd32 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -529,6 +529,7 @@ ldbm_back_modify( Slapi_PBlock *pb )
CACHE_REMOVE(&inst->inst_cache, ec);
}
CACHE_RETURN(&inst->inst_cache, &ec);
+ slapi_pblock_set( pb, SLAPI_MODIFY_EXISTING_ENTRY, original_entry->ep_entry );
ec = original_entry;
original_entry = tmpentry;
tmpentry = NULL;
commit cad5b96507caf9e08a12285c52d0353f8e6dcc3b
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Wed Sep 10 18:56:43 2014 -0700
Ticket #47895 - If no effective ciphers are available, disable security setting.
Description: If nsslapd-security is "on" and nsSSL3Ciphers is given
AND none of the ciphers are available or some syntax error is detected,
the server sets nsslapd-security "off" and starts up.
https://fedorahosted.org/389/ticket/47895
Reviewed by nkinder at redhat.com (Thank you, Nathan!!)
(cherry picked from commit 0f1a203a0fe85f3cf0440006685f63409502f093)
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index d577514..6bad2a0 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -3077,6 +3077,24 @@ slapd_debug_level_usage( void )
}
#endif /* LDAP_DEBUG */
+static int
+force_to_disable_security(const char *what, int *init_ssl, daemon_ports_t *ports_info)
+{
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
+ errorbuf[0] = '\0';
+
+ LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: %s Initialization Failed. Disabling %s.\n", what, what);
+ ports_info->s_socket = SLAPD_INVALID_SOCKET;
+ ports_info->s_port = 0;
+ *init_ssl = 0;
+ if (config_set_security(CONFIG_SECURITY_ATTRIBUTE, "off", errorbuf, 1)) {
+ LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: Failed to disable %s: \"%s\".\n",
+ CONFIG_SECURITY_ATTRIBUTE, errorbuf[0]?errorbuf:"no error message");
+ return 1;
+ }
+ return 0;
+}
+
/*
This function does all NSS and SSL related initialization
required during startup. We use this function rather
@@ -3113,20 +3131,20 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt,
* modules can assume NSS is available
*/
if ( slapd_nss_init((slapd_exemode == SLAPD_EXEMODE_SLAPD),
- (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {
- LDAPDebug(LDAP_DEBUG_ANY,
- "ERROR: NSS Initialization Failed.\n", 0, 0, 0);
- return 1;
+ (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {
+ if (force_to_disable_security("NSS", &init_ssl, ports_info)) {
+ return 1;
+ }
}
if (slapd_exemode == SLAPD_EXEMODE_SLAPD) {
client_auth_init();
}
- if ( init_ssl && ( 0 != slapd_ssl_init())) {
- LDAPDebug(LDAP_DEBUG_ANY,
- "ERROR: SSL Initialization Failed.\n", 0, 0, 0 );
- return 1;
+ if (init_ssl && slapd_ssl_init()) {
+ if (force_to_disable_security("SSL", &init_ssl, ports_info)) {
+ return 1;
+ }
}
if ((slapd_exemode == SLAPD_EXEMODE_SLAPD) ||
@@ -3134,10 +3152,10 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt,
if ( init_ssl ) {
PRFileDesc **sock;
for (sock = ports_info->s_socket; sock && *sock; sock++) {
- if ( 0 != slapd_ssl_init2(sock, 0) ) {
- LDAPDebug(LDAP_DEBUG_ANY,
- "ERROR: SSL Initialization phase 2 Failed.\n", 0, 0, 0 );
- return 1;
+ if ( slapd_ssl_init2(sock, 0) ) {
+ if (force_to_disable_security("SSL2", &init_ssl, ports_info)) {
+ return 1;
+ }
}
}
}
commit 3877981d63fb82716b60cd1294008b2d272197c9
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Wed Sep 10 18:48:07 2014 -0700
Ticket 47838,47895 - CI test: add test cases for ticket 47838 and 47895
Description:
Ticket #47838: harden the list of ciphers available by default
Adding test cases for default behaviour change of allowWeakCipher.
Ticket #47895 - If no effective ciphers are available, disable security setting.
Test case for "Even if no cipher is available, the server starts
without SSL" is added.
https://fedorahosted.org/389/ticket/47838
(cherry picked from commit 4fb1a04ceb9631680a9bcff844250afb4b6e5b7d)
diff --git a/dirsrvtests/tickets/ticket47838_test.py b/dirsrvtests/tickets/ticket47838_test.py
index dedd61d..0e406f3 100644
--- a/dirsrvtests/tickets/ticket47838_test.py
+++ b/dirsrvtests/tickets/ticket47838_test.py
@@ -201,6 +201,7 @@ def test_ticket47838_init(topology):
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'on'),
(ldap.MOD_REPLACE, 'nsSSLClientAuth', 'allowed'),
+ (ldap.MOD_REPLACE, 'allowWeakCipher', 'on'),
(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all')])
topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-security', 'on'),
@@ -217,6 +218,7 @@ def test_ticket47838_run_0(topology):
"""
Check nsSSL3Ciphers: +all
All ciphers are enabled except null.
+ Note: allowWeakCipher: on
"""
_header(topology, 'Test Case 1 - Check the ciphers availability for "+all"')
@@ -226,42 +228,78 @@ def test_ticket47838_run_0(topology):
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.restart(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
log.info("Enabled ciphers: %d" % ecount)
log.info("Disabled ciphers: %d" % dcount)
- assert ecount >= 60
- assert dcount <= 7
+ assert ecount >= 31
+ assert dcount <= 36
global plus_all_ecount
global plus_all_dcount
plus_all_ecount = ecount
plus_all_dcount = dcount
- weak = os.popen('egrep "SSL alert:" %s | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ weak = os.popen('egrep "SSL alert:" %s | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
wcount = int(weak.readline().rstrip())
log.info("Weak ciphers: %d" % wcount)
assert wcount <= 29
def test_ticket47838_run_1(topology):
"""
+ Check nsSSL3Ciphers: +all
+ All ciphers are enabled except null.
+ Note: allowWeakCipher: off for +all
+ """
+ _header(topology, 'Test Case 2 - Check the ciphers availability for "+all" with not allowing WeakCiphers')
+
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '64')])
+ # Make sure allowWeakCipher is not set.
+ topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_DELETE, 'allowWeakCipher', None)])
+
+ log.info("\n######################### Restarting the server ######################\n")
+ log.info("\n######################### Restarting the server ######################\n")
+ topology.standalone.stop(timeout=10)
+ os.system('mv %s %s.47838_0' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('touch %s' % (topology.standalone.errlog))
+ topology.standalone.start(timeout=120)
+
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
+ ecount = int(enabled.readline().rstrip())
+ dcount = int(disabled.readline().rstrip())
+
+ log.info("Enabled ciphers: %d" % ecount)
+ log.info("Disabled ciphers: %d" % dcount)
+ assert ecount >= 31
+ assert dcount <= 36
+ weak = os.popen('egrep "SSL alert:" %s | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ wcount = int(weak.readline().rstrip())
+ log.info("Weak ciphers: %d" % wcount)
+ assert wcount <= 29
+
+def test_ticket47838_run_2(topology):
+ """
Check nsSSL3Ciphers: +rsa_aes_128_sha,+rsa_aes_256_sha
rsa_aes_128_sha, tls_rsa_aes_128_sha, rsa_aes_256_sha, tls_rsa_aes_256_sha are enabled.
"""
- _header(topology, 'Test Case 2 - Check the ciphers availability for "+rsa_aes_128_sha,+rsa_aes_256_sha"')
+ _header(topology, 'Test Case 3 - Check the ciphers availability for "+rsa_aes_128_sha,+rsa_aes_256_sha"')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ #topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+rsa_aes_128_sha,+rsa_aes_256_sha'),
+ # (ldap.MOD_REPLACE, 'allowWeakCipher', 'on')])
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+rsa_aes_128_sha,+rsa_aes_256_sha')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_0' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_1' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -272,24 +310,24 @@ def test_ticket47838_run_1(topology):
assert ecount == 2
assert dcount == (plus_all_ecount + plus_all_dcount - ecount)
-def test_ticket47838_run_2(topology):
+def test_ticket47838_run_3(topology):
"""
Check nsSSL3Ciphers: -all
All ciphers are disabled.
"""
- _header(topology, 'Test Case 3 - Check the ciphers availability for "-all"')
+ _header(topology, 'Test Case 4 - Check the ciphers availability for "-all"')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '-all')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_1' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_2' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -300,24 +338,24 @@ def test_ticket47838_run_2(topology):
assert ecount == 0
assert dcount == (plus_all_ecount + plus_all_dcount)
-def test_ticket47838_run_3(topology):
+def test_ticket47838_run_4(topology):
"""
Check no nsSSL3Ciphers
Default ciphers are enabled.
"""
- _header(topology, 'Test Case 4 - Check no nssSSL3Chiphers (default setting)')
+ _header(topology, 'Test Case 5 - Check no nssSSL3Chiphers (default setting)')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_DELETE, 'nsSSL3Ciphers', '-all')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_2' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_3' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -327,29 +365,29 @@ def test_ticket47838_run_3(topology):
global plus_all_dcount
assert ecount == 12
assert dcount == (plus_all_ecount + plus_all_dcount - ecount)
- weak = os.popen('egrep "SSL alert:" %s | egrep enabled | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
wcount = int(weak.readline().rstrip())
log.info("Weak ciphers in the default setting: %d" % wcount)
assert wcount == 0
-def test_ticket47838_run_4(topology):
+def test_ticket47838_run_5(topology):
"""
Check nsSSL3Ciphers: default
Default ciphers are enabled.
"""
- _header(topology, 'Test Case 5 - Check default nssSSL3Chiphers (default setting)')
+ _header(topology, 'Test Case 6 - Check default nssSSL3Chiphers (default setting)')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'default')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_3' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_4' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -359,29 +397,29 @@ def test_ticket47838_run_4(topology):
global plus_all_dcount
assert ecount == 12
assert dcount == (plus_all_ecount + plus_all_dcount - ecount)
- weak = os.popen('egrep "SSL alert:" %s | egrep enabled | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
wcount = int(weak.readline().rstrip())
log.info("Weak ciphers in the default setting: %d" % wcount)
assert wcount == 0
-def test_ticket47838_run_5(topology):
+def test_ticket47838_run_6(topology):
"""
Check nssSSL3Chiphers: +all,-rsa_rc4_128_md5
All ciphers are disabled.
"""
- _header(topology, 'Test Case 6 - Check nssSSL3Chiphers: +all,-rsa_rc4_128_md5')
+ _header(topology, 'Test Case 7 - Check nssSSL3Chiphers: +all,-tls_dhe_rsa_aes_128_gcm_sha')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
- topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all,-rsa_rc4_128_md5')])
+ topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all,-tls_dhe_rsa_aes_128_gcm_sha')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_4' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_5' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -389,27 +427,29 @@ def test_ticket47838_run_5(topology):
log.info("Disabled ciphers: %d" % dcount)
global plus_all_ecount
global plus_all_dcount
+ log.info("ALL Ecount: %d" % plus_all_ecount)
+ log.info("ALL Dcount: %d" % plus_all_dcount)
assert ecount == (plus_all_ecount - 1)
assert dcount == (plus_all_dcount + 1)
-def test_ticket47838_run_6(topology):
+def test_ticket47838_run_7(topology):
"""
Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5
All ciphers are disabled.
"""
- _header(topology, 'Test Case 7 - Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5')
+ _header(topology, 'Test Case 8 - Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '-all,+rsa_rc4_128_md5')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_5' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_6' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -420,25 +460,59 @@ def test_ticket47838_run_6(topology):
assert ecount == 1
assert dcount == (plus_all_ecount + plus_all_dcount - ecount)
-def test_ticket47838_run_7(topology):
+def test_ticket47838_run_8(topology):
+ """
+ Check nsSSL3Ciphers: default + allowWeakCipher: off
+ Strong Default ciphers are enabled.
+ """
+ _header(topology, 'Test Case 9 - Check default nssSSL3Chiphers (default setting + allowWeakCipher: off)')
+
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'default'),
+ (ldap.MOD_REPLACE, 'allowWeakCipher', 'off')])
+
+ log.info("\n######################### Restarting the server ######################\n")
+ topology.standalone.stop(timeout=10)
+ os.system('mv %s %s.47838_7' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('touch %s' % (topology.standalone.errlog))
+ topology.standalone.start(timeout=120)
+
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
+ ecount = int(enabled.readline().rstrip())
+ dcount = int(disabled.readline().rstrip())
+
+ log.info("Enabled ciphers: %d" % ecount)
+ log.info("Disabled ciphers: %d" % dcount)
+ global plus_all_ecount
+ global plus_all_dcount
+ assert ecount == 12
+ assert dcount == (plus_all_ecount + plus_all_dcount - ecount)
+ weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ wcount = int(weak.readline().rstrip())
+ log.info("Weak ciphers in the default setting: %d" % wcount)
+ assert wcount == 0
+
+def test_ticket47838_run_9(topology):
"""
Check no nsSSL3Ciphers
Default ciphers are enabled.
"""
- _header(topology, 'Test Case 8 - Check no nssSSL3Chiphers (default setting) with no errorlog-level')
+ _header(topology, 'Test Case 10 - Check no nssSSL3Chiphers (default setting) with no errorlog-level')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
- topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', None)])
+ topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', None),
+ (ldap.MOD_REPLACE, 'allowWeakCipher', 'on')])
topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', None)])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_6' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_8' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -446,12 +520,12 @@ def test_ticket47838_run_7(topology):
log.info("Disabled ciphers: %d" % dcount)
assert ecount == 12
assert dcount == 0
- weak = os.popen('egrep "SSL alert:" %s | egrep enabled | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
wcount = int(weak.readline().rstrip())
log.info("Weak ciphers in the default setting: %d" % wcount)
assert wcount == 0
-def test_ticket47838_run_8(topology):
+def test_ticket47838_run_10(topology):
"""
Check nssSSL3Chiphers: -TLS_RSA_WITH_NULL_MD5,+TLS_RSA_WITH_RC4_128_MD5,
+TLS_RSA_EXPORT_WITH_RC4_40_MD5,+TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
@@ -462,7 +536,7 @@ def test_ticket47838_run_8(topology):
-SSL_CK_RC2_128_CBC_WITH_MD5,-SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-SSL_CK_DES_64_CBC_WITH_MD5,-SSL_CK_DES_192_EDE3_CBC_WITH_MD5
"""
- _header(topology, 'Test Case 9 - Check nssSSL3Chiphers: long list using the NSS Cipher Suite name')
+ _header(topology, 'Test Case 11 - Check nssSSL3Chiphers: long list using the NSS Cipher Suite name')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers',
@@ -470,12 +544,12 @@ def test_ticket47838_run_8(topology):
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_7' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_9' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -485,32 +559,56 @@ def test_ticket47838_run_8(topology):
global plus_all_dcount
assert ecount == 9
assert dcount == 0
- weak = os.popen('egrep "SSL alert:" %s | egrep enabled | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
wcount = int(weak.readline().rstrip())
log.info("Weak ciphers in the default setting: %d" % wcount)
-def test_ticket47838_run_9(topology):
+ topology.standalone.log.info("ticket47838 was successfully verified.");
+
+def test_ticket47838_run_11(topology):
+ """
+ Check nssSSL3Chiphers: +fortezza
+ SSL_GetImplementedCiphers does not return this as a secuire cipher suite
+ """
+ _header(topology, 'Test Case 12 - Check nssSSL3Chiphers: +fortezza, which is not supported')
+
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+fortezza')])
+
+ log.info("\n######################### Restarting the server ######################\n")
+ topology.standalone.stop(timeout=10)
+ os.system('mv %s %s.47838_10' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('touch %s' % (topology.standalone.errlog))
+ topology.standalone.start(timeout=120)
+
+ errmsg = os.popen('egrep "SSL alert:" %s | egrep "is not available in NSS"' % topology.standalone.errlog)
+ if errmsg != "":
+ log.info("Expected error message:")
+ log.info("%s" % errmsg.readline())
+ else:
+ log.info("Expected error message was not found")
+ assert False
+
+def test_ticket47838_run_last(topology):
"""
- NOTE: Currently, this test case is commented out since if the server fails to start,
- it repeatedly restarted.
Check nssSSL3Chiphers: all <== invalid value
All ciphers are disabled.
"""
- _header(topology, 'Test Case 10 - Check nssSSL3Chiphers: all, which is invalid')
+ _header(topology, 'Test Case 13 - Check nssSSL3Chiphers: all, which is invalid')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'all')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_7' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_10' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- errmsg = os.popen('egrep "SSL alert:" %s | egrep "invalid ciphers"' % topology.standalone.errlog)
+ errmsg = os.popen('egrep "SSL alert:" %s | egrep "invalid ciphers"' % topology.standalone.errlog)
if errmsg != "":
log.info("Expected error message:")
- log.info("%s" % errmsg)
+ log.info("%s" % errmsg.readline())
else:
log.info("Expected error message was not found")
assert False
@@ -519,6 +617,9 @@ def test_ticket47838_run_9(topology):
def test_ticket47838_final(topology):
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', None)])
+ topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'default'),
+ (ldap.MOD_REPLACE, 'allowWeakCipher', 'on')])
topology.standalone.stop(timeout=10)
def run_isolated():
@@ -544,7 +645,11 @@ def run_isolated():
test_ticket47838_run_6(topo)
test_ticket47838_run_7(topo)
test_ticket47838_run_8(topo)
- # test_ticket47838_run_9(topo)
+ test_ticket47838_run_9(topo)
+ test_ticket47838_run_10(topo)
+ test_ticket47838_run_11(topo)
+
+ test_ticket47838_run_last(topo)
test_ticket47838_final(topo)
commit 58cb12a7b8cf938c5a4b920c4a1ad1da02fecdb8
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Thu Sep 11 11:46:51 2014 -0700
Ticket #47838 - harden the list of ciphers available by default
Description:
1. Introducing a new attribute allowWeakCipher in "cn=encryption,cn=config".
allowWeakCipher: [on | off]
on -- allows weak ciphers.
Default setting for user specified ciphers.
off -- rejects weak ciphers.
Default setting for +all and default.
2. allowWeakCipher is applied only to the user specified cipher suites
such as "nsSSL3Ciphers: +rsa_rc4_128_md5".
If allowWeakCipher is enabled and the user specified cipher is weak,
SSL alert is logged in the error log:
SSL alert: Cipher rsa_rc4_128_md5 is weak. It is enabled since
allowWeakCipher is "on" (default setting for the backward compatibility).
We strongly recommend to set it to "off". Please replace the value of
allowWeakCipher with "off" in the encryption config entry cn=encryption,
cn=config and restart the server.
3. If specified cipher suite is not supported, ignore the cipher suite
and continue setting ciphers.
https://fedorahosted.org/389/ticket/47838
Reviewed by rmeggins at redhat.com (Thank you, Rich!!)
(cherry picked from commit 5f3c87e1380e56d76d4a4bef3af07633a8589891)
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index 1b8a70b..c7aec70 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -128,6 +128,7 @@ attributeTypes: ( nsSSL3SessionTimeout-oid NAME 'nsSSL3SessionTimeout' DESC 'Net
attributeTypes: ( nsSSL2Ciphers-oid NAME 'nsSSL2Ciphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSL3Ciphers-oid NAME 'nsSSL3Ciphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLSupportedCiphers-oid NAME 'nsSSLSupportedCiphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( allowWeakCipher-oid NAME 'allowWeakCipher' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLToken-oid NAME 'nsSSLToken' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLPersonalitySSL-oid NAME 'nsSSLPersonalitySSL' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLActivation-oid NAME 'nsSSLActivation' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
@@ -316,7 +317,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC
objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers) X-ORIGIN 'Netscape' )
+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher) X-ORIGIN 'Netscape' )
objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' )
objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( rootdn-open-time $ rootdn-close-time $ rootdn-days-allowed $ rootdn-allow-host $ rootdn-deny-host $ rootdn-allow-ip $ rootdn-deny-ip ) X-ORIGIN 'Netscape' )
objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' )
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 1a21df0..03b5904 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -119,7 +119,21 @@ static char * configDN = "cn=encryption,cn=config";
#define FILE_PATHSEP '/'
/* ----------------------- Multiple cipher support ------------------------ */
-
+/* cipher set flags */
+#define CIPHER_SET_ALL 0x1
+#define CIPHER_SET_NONE 0x0
+#define CIPHER_SET_DEFAULT 0x2
+#define CIPHER_SET_CORE (CIPHER_SET_ALL|CIPHER_SET_DEFAULT|CIPHER_SET_NONE)
+#define CIPHER_SET_ALLOWWEAKCIPHER 0x10 /* can be or'ed with other CIPHER_SET flags */
+
+#define CIPHER_SET_ISDEFAULT(flag) \
+ ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
+#define CIPHER_SET_ISALL(flag) \
+ ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE)
+#define CIPHER_SET_ALLOWSWEAKCIPHER(flag) \
+ (((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
+#define CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flag) \
+ ((flag)&~CIPHER_SET_ALLOWWEAKCIPHER)
/* flags */
#define CIPHER_IS_DEFAULT 0x1
@@ -158,7 +172,7 @@ static lookup_cipher _lookup_cipher[] = {
{"tls_rsa_3des_sha", "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
{"rsa_fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
{"fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
- {"rsa_des_sha", "TLS_RSA_WITH_DES_CBC_SHA"},
+ {"rsa_des_sha", "SSL_RSA_WITH_DES_CBC_SHA"},
{"rsa_fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
{"fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, /* ditto */
{"rsa_rc4_40_md5", "TLS_RSA_EXPORT_WITH_RC4_40_MD5"},
@@ -339,21 +353,20 @@ _conf_init_ciphers()
return;
}
-#define CIPHER_SET_ALL 1
-#define CIPHER_SET_NONE 0
-#define CIPHER_SET_DEFAULT 2
/*
- * flag: 1 -- enable all
- * 0 -- disable all
- * 2 -- set default ciphers
+ * flag: CIPHER_SET_ALL -- enable all
+ * CIPHER_SET_NONE -- disable all
+ * CIPHER_SET_DEFAULT -- set default ciphers
+ * CIPHER_SET_ALLOW_WEAKCIPHER -- allow weak ciphers (can be or'ed with the ather CIPHER_SET flags)
*/
static void
_conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
{
int x;
SECStatus rc;
- PRBool setdefault = (flag == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE;
- PRBool enabled = (flag == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE;
+ PRBool setdefault = CIPHER_SET_ISDEFAULT(flag);
+ PRBool enabled = CIPHER_SET_ISALL(flag);
+ PRBool allowweakcipher = CIPHER_SET_ALLOWSWEAKCIPHER(flag);
PRBool setme = PR_FALSE;
const PRUint16 *implementedCiphers = SSL_GetImplementedCiphers();
@@ -361,8 +374,9 @@ _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
for (x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {
if (_conf_ciphers[x].flags & CIPHER_IS_DEFAULT) {
+ /* certainly, not the first time. */
setme = PR_TRUE;
- } else {
+ } else if (setdefault) {
/*
* SSL_CipherPrefGetDefault
* If the application has not previously set the default preference,
@@ -375,15 +389,16 @@ _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
_conf_ciphers[x].name);
continue;
}
- if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
+ if (!allowweakcipher && (_conf_ciphers[x].flags & CIPHER_IS_WEAK)) {
setme = PR_FALSE;
}
_conf_ciphers[x].flags |= setme?CIPHER_IS_DEFAULT:0;
- }
- if (setdefault) {
- /* Use the NSS default settings */
} else if (enabled && !(_conf_ciphers[x].flags & CIPHER_MUST_BE_DISABLED)) {
- setme = PR_TRUE;
+ if (!allowweakcipher && (_conf_ciphers[x].flags & CIPHER_IS_WEAK)) {
+ setme = PR_FALSE;
+ } else {
+ setme = PR_TRUE;
+ }
} else {
setme = PR_FALSE;
}
@@ -433,7 +448,7 @@ _conf_dumpciphers()
}
char *
-_conf_setciphers(char *ciphers)
+_conf_setciphers(char *ciphers, int flags)
{
char *t, err[MAGNUS_ERROR_LEN];
int x, i, active;
@@ -445,7 +460,7 @@ _conf_setciphers(char *ciphers)
/* #47838: harden the list of ciphers available by default */
/* Default is to activate all of them ==> none of them*/
if (!ciphers || (ciphers[0] == '\0') || !PL_strcasecmp(ciphers, "default")) {
- _conf_setallciphers(CIPHER_SET_DEFAULT, NULL, NULL);
+ _conf_setallciphers((CIPHER_SET_DEFAULT|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags)), NULL, NULL);
slapd_SSL_warn("Security Initialization: Enabling default cipher set.");
_conf_dumpciphers();
return NULL;
@@ -458,11 +473,11 @@ _conf_setciphers(char *ciphers)
* set of ciphers in the table. Right now there is no support for this
* from the console
*/
- _conf_setallciphers(CIPHER_SET_ALL, &suplist, NULL);
+ _conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags), &suplist, NULL);
} else {
/* If "+all" is not in nsSSL3Ciphers value, disable all first,
* then enable specified ciphers. */
- _conf_setallciphers(0 /* disabled */, NULL, NULL);
+ _conf_setallciphers(CIPHER_SET_NONE /* disabled */, NULL, NULL);
}
t = ciphers;
@@ -482,12 +497,28 @@ _conf_setciphers(char *ciphers)
if( (t = strchr(ciphers, ',')) )
*t++ = '\0';
- if(strcasecmp(ciphers, "all")) { /* if not all */
+ if (strcasecmp(ciphers, "all")) { /* if not all */
PRBool enabled = active ? PR_TRUE : PR_FALSE;
lookup = 1;
- for(x = 0; _conf_ciphers[x].name; x++) {
- if(!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
+ for (x = 0; _conf_ciphers[x].name; x++) {
+ if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
+ if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
+ if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
+ slapd_SSL_warn("Cipher %s is weak. It is enabled since allowWeakCipher is \"on\" "
+ "(default setting for the backward compatibility). "
+ "We strongly recommend to set it to \"off\". "
+ "Please replace the value of allowWeakCipher with \"off\" in "
+ "the encryption config entry cn=encryption,cn=config and "
+ "restart the server.", ciphers);
+ } else {
+ /* if the cipher is weak and we don't allow weak cipher,
+ disable it. */
+ enabled = PR_FALSE;
+ }
+ }
if (enabled) {
+ /* if the cipher is not weak or we allow weak cipher,
+ check fips. */
enabled = cipher_check_fips(x, NULL, &unsuplist);
}
SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
@@ -499,14 +530,33 @@ _conf_setciphers(char *ciphers)
for (i = 0; _lookup_cipher[i].alias; i++) {
if (!PL_strcasecmp(ciphers, _lookup_cipher[i].alias)) {
if (!_lookup_cipher[i].name[0]) {
- slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d",
- ciphers, NSS_VMAJOR, NSS_VMINOR);
- break;
+ slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d. Ignoring %s",
+ ciphers, NSS_VMAJOR, NSS_VMINOR, ciphers);
+ continue;
}
for (x = 0; _conf_ciphers[x].name; x++) {
if (!PL_strcasecmp(_lookup_cipher[i].name, _conf_ciphers[x].name)) {
if (enabled) {
- enabled = cipher_check_fips(x, NULL, &unsuplist);
+ if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
+ if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
+ slapd_SSL_warn("Cipher %s is weak. "
+ "It is enabled since allowWeakCipher is \"on\" "
+ "(default setting for the backward compatibility). "
+ "We strongly recommend to set it to \"off\". "
+ "Please replace the value of allowWeakCipher with \"off\" in "
+ "the encryption config entry cn=encryption,cn=config and "
+ "restart the server.", ciphers);
+ } else {
+ /* if the cipher is weak and we don't allow weak cipher,
+ disable it. */
+ enabled = PR_FALSE;
+ }
+ }
+ if (enabled) {
+ /* if the cipher is not weak or we allow weak cipher,
+ check fips. */
+ enabled = cipher_check_fips(x, NULL, &unsuplist);
+ }
}
SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
break;
@@ -1008,6 +1058,7 @@ slapd_ssl_init()
int rv = 0;
PK11SlotInfo *slot;
Slapi_Entry *entry = NULL;
+ int allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
/* Get general information */
@@ -1017,21 +1068,21 @@ slapd_ssl_init()
ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" );
/* We are currently using the value of sslSessionTimeout
- for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
+ for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
/* Note from Tom Weinstein on the meaning of the timeout:
Timeouts are in seconds. '0' means use the default, which is
- 24hrs for SSL3 and 100 seconds for SSL2.
+ 24hrs for SSL3 and 100 seconds for SSL2.
*/
if(!val) {
errorCode = PR_GetError();
slapd_SSL_warn("Security Initialization: Failed to retrieve SSL "
"configuration information ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
- "nssslSessionTimeout: %s ",
- errorCode, slapd_pr_strerror(errorCode),
- (val ? "found" : "not found"));
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
+ "nssslSessionTimeout: %s ",
+ errorCode, slapd_pr_strerror(errorCode),
+ (val ? "found" : "not found"));
slapi_ch_free((void **) &val);
slapi_ch_free((void **) &ciphers);
freeConfigEntry( &entry );
@@ -1042,79 +1093,86 @@ slapd_ssl_init()
slapi_ch_free((void **) &val);
if (svrcore_setup()) {
- freeConfigEntry( &entry );
- return -1;
+ freeConfigEntry( &entry );
+ return -1;
}
- if((family_list = getChildren(configDN))) {
- char **family;
- char *token;
- char *activation;
+ val = slapi_entry_attr_get_charptr(entry, "allowWeakCipher");
+ if (val && (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
+ !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no"))) {
+ allowweakcipher = 0;
+ }
+ slapi_ch_free((void **) &val);
+
+ if ((family_list = getChildren(configDN))) {
+ char **family;
+ char *token;
+ char *activation;
- for (family = family_list; *family; family++) {
+ for (family = family_list; *family; family++) {
- token = NULL;
- activation = NULL;
+ token = NULL;
+ activation = NULL;
- freeConfigEntry( &entry );
+ freeConfigEntry( &entry );
- getConfigEntry( *family, &entry );
- if ( entry == NULL ) {
- continue;
- }
+ getConfigEntry( *family, &entry );
+ if ( entry == NULL ) {
+ continue;
+ }
- activation = slapi_entry_attr_get_charptr( entry, "nssslactivation" );
- if((!activation) || (!PL_strcasecmp(activation, "off"))) {
- /* this family was turned off, goto next */
- slapi_ch_free((void **) &activation);
- continue;
- }
+ activation = slapi_entry_attr_get_charptr( entry, "nssslactivation" );
+ if((!activation) || (!PL_strcasecmp(activation, "off"))) {
+ /* this family was turned off, goto next */
+ slapi_ch_free((void **) &activation);
+ continue;
+ }
- slapi_ch_free((void **) &activation);
-
- token = slapi_entry_attr_get_charptr( entry, "nsssltoken" );
- if( token ) {
- if( !PL_strcasecmp(token, "internal") ||
- !PL_strcasecmp(token, "internal (software)"))
- slot = slapd_pk11_getInternalKeySlot();
- else
- slot = slapd_pk11_findSlotByName(token);
- } else {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Unable to get token ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- errorCode, slapd_pr_strerror(errorCode));
- freeChildren(family_list);
- freeConfigEntry( &entry );
- return -1;
- }
+ slapi_ch_free((void **) &activation);
- slapi_ch_free((void **) &token);
+ token = slapi_entry_attr_get_charptr( entry, "nsssltoken" );
+ if ( token ) {
+ if (!PL_strcasecmp(token, "internal") ||
+ !PL_strcasecmp(token, "internal (software)")) {
+ slot = slapd_pk11_getInternalKeySlot();
+ } else {
+ slot = slapd_pk11_findSlotByName(token);
+ }
+ } else {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Unable to get token ("
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ errorCode, slapd_pr_strerror(errorCode));
+ freeChildren(family_list);
+ freeConfigEntry( &entry );
+ return -1;
+ }
- if (!slot) {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Unable to find slot ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- errorCode, slapd_pr_strerror(errorCode));
- freeChildren(family_list);
- freeConfigEntry( &entry );
- return -1;
- }
- /* authenticate */
- if(slapd_pk11_authenticate(slot, PR_TRUE, NULL) != SECSuccess)
- {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Unable to authenticate ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- errorCode, slapd_pr_strerror(errorCode));
- freeChildren(family_list);
- freeConfigEntry( &entry );
- return -1;
- }
- }
- freeChildren( family_list );
+ slapi_ch_free((void **) &token);
+
+ if (!slot) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Unable to find slot ("
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ errorCode, slapd_pr_strerror(errorCode));
+ freeChildren(family_list);
+ freeConfigEntry( &entry );
+ return -1;
+ }
+ /* authenticate */
+ if (slapd_pk11_authenticate(slot, PR_TRUE, NULL) != SECSuccess) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Unable to authenticate ("
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ errorCode, slapd_pr_strerror(errorCode));
+ freeChildren(family_list);
+ freeConfigEntry( &entry );
+ return -1;
+ }
+ }
+ freeChildren( family_list );
+ freeConfigEntry( &entry );
}
- freeConfigEntry( &entry );
/* ugaston- Cipher preferences must be set before any sslSocket is created
* for such sockets to take preferences into account.
@@ -1126,13 +1184,13 @@ slapd_ssl_init()
PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
slapi_ch_free((void **) &ciphers);
- if( NULL != (val = _conf_setciphers(cipher_string)) ) {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
- "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- val, errorCode, slapd_pr_strerror(errorCode));
- rv = 3;
- slapi_ch_free((void **) &val);
+ if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
+ "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ val, errorCode, slapd_pr_strerror(errorCode));
+ rv = 3;
+ slapi_ch_free((void **) &val);
}
freeConfigEntry( &entry );
commit 55e317f2a5d8fc488e7eeee6f2b4155298a45d25
Author: Ludwig Krispenz <lkrispen at redhat.com>
Date: Wed Sep 10 13:22:06 2014 +0200
fix for 47885 did not always return a response control
reviewd by rich, thanks
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index 96d42e6..1bab0ab 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -591,14 +591,13 @@ deref_values_free(Slapi_ValueSet** results, char** actual_type_name, int buffer_
slapi_vattr_values_free(results, actual_type_name, buffer_flags);
}
-static int
+static void
deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, const char *derefattr, const char **attrs)
{
char **retattrs = NULL;
Slapi_PBlock *derefpb = NULL;
Slapi_Entry **entries = NULL;
int rc;
- int needcontrol = 0;
/* If the access check on the attributes is done without retrieveing the entry
* it cannot handle acis which need teh entry, eg to apply a targetfilter rule
@@ -628,7 +627,6 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
"The client does not have permission to read the requested "
"attributes in entry %s\n", derefdn);
} else {
- needcontrol = 1;
ber_printf(ctrlber, "{ss", derefattr, derefdn); /* begin DerefRes + derefAttr + derefVal */
for (ii = 0; retattrs[ii]; ++ii) {
Slapi_Value *sv;
@@ -704,7 +702,6 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
slapi_pblock_destroy(derefpb);
slapi_ch_free((void **)&retattrs); /* retattrs does not own the strings */
- return needcontrol;
}
static int
@@ -718,7 +715,6 @@ deref_pre_entry(Slapi_PBlock *pb)
LDAPControl *ctrl = NULL;
const LDAPControl **searchctrls = NULL;
LDAPControl **newsearchctrls = NULL;
- int needcontrol = 0;
if (!speclist) {
return 0; /* nothing to do */
@@ -762,25 +758,23 @@ deref_pre_entry(Slapi_PBlock *pb)
for (; results && sv; idx = slapi_valueset_next_value(results, idx, &sv)) {
const char *derefdn = slapi_value_get_string(sv);
- needcontrol += deref_do_deref_attr(pb, ctrlber, derefdn, spec->derefattr, (const char **)spec->attrs);
+ deref_do_deref_attr(pb, ctrlber, derefdn, spec->derefattr, (const char **)spec->attrs);
}
deref_values_free(&results, &actual_type_name, buffer_flags);
}
ber_printf(ctrlber, "}"); /* end control val */
- if (needcontrol) {
- slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
- /* get the list of controls */
- slapi_pblock_get(pb, SLAPI_SEARCH_CTRLS, &searchctrls);
- /* dup them */
- slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
- /* add our control */
- slapi_add_control_ext(&newsearchctrls, ctrl, 0);
- ctrl = NULL; /* newsearchctrls owns it now */
- /* set the controls in the pblock */
- slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
- }
+ slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
+ /* get the list of controls */
+ slapi_pblock_get(pb, SLAPI_SEARCH_CTRLS, &searchctrls);
+ /* dup them */
+ slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
+ /* add our control */
+ slapi_add_control_ext(&newsearchctrls, ctrl, 0);
+ ctrl = NULL; /* newsearchctrls owns it now */
+ /* set the controls in the pblock */
+ slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
ber_free(ctrlber, 1);
return 0;
More information about the 389-commits
mailing list