[389-devel] Please review (take 5): [389 Project] #47945: Add SSL/TLS version info to the access log

Noriko Hosoi nhosoi at redhat.com
Mon Nov 10 22:15:09 UTC 2014 

https://fedorahosted.org/389/ticket/47945

https://fedorahosted.org/389/attachment/ticket/47945/0001-Ticket-47945-Add-SSL-TLS-version-info-to-the-access-.5.patch
git patch file (master) -- applied the change in comment:11 
<https://fedorahosted.org/389/ticket/47945#comment:11> by Rich.  Thank you!!

Once approved, I'm going to attach the code slapi_getSSLVersion_str to 
this bug...
*Bug 1161807* <https://bugzilla.redhat.com/show_bug.cgi?id=1161807> 
-[RFE] API to convert SSL version number to SSL version string

--noriko


On 11/10/2014 01:10 PM, 389 Project wrote:
> #47945: Add SSL/TLS version info to the access log
> -------------------------------------------------+-------------------------
>          Reporter:  nhosoi                        |          Owner:  nhosoi
>              Type:  defect                        |         Status:
>          Priority:  major                         |  accepted
>         Component:  Directory Server              |      Milestone:  1.3.3
>        Resolution:                                |  backlog
>        Blocked By:                                |        Version:  1.3.0
>            Review:  review?                       |       Keywords:
> Red Hat Bugzilla:                                |       Blocking:
>    [https://bugzilla.redhat.com/show_bug.cgi?id=1153737|  Ticket origin:
>    1153737]                                       |  Community
> -------------------------------------------------+-------------------------
>
> Comment (by rmeggins):
>
>   Thanks.  Almost there
>   {{{
>       if ((vnum & SSL_LIBRARY_VERSION_3_0) == SSL_LIBRARY_VERSION_3_0) {
>       ...
>   }}}
>   This will only work for TLSv1.x.  I would like to see support for TLSv2.x
>   and later, something like this:
>   {{{
>       if (vnum >= SSL_LIBRARY_VERSION_3_0) {
>           if (vnum == SSL_LIBRARY_VERSION_3_0) { /* SSL3 */
>               if (buf && bufsize) {
>                   PR_snprintf(buf, bufsize, "SSL3");
>               } else {
>                   vstr = slapi_ch_smprintf("SSL3");
>               }
>           } else { /* TLS v X.Y */
>               const char *TLSFMT = "TLS%d.%d";
>               int minor_offset = 0; /* e.g. 0x0401 -> TLS v 2.1, not 2.0 */
>
>               if ((vnum & SSL_LIBRARY_VERSION_3_0) ==
>   SSL_LIBRARY_VERSION_3_0) {
>                   minor_offset = 1; /* e.g. 0x0301 -> TLS v 1.0, not 1.1 */
>               }
>               if (buf && bufsize) {
>                   PR_snprintf(buf, bufsize, TLSFMT, (vnum >> 8) - 2, (vnum &
>   0xff) - minor_offset);
>               } else {
>                   vstr = slapi_ch_smprintf(TLSFMT, (vnum >> 8) - 2, (vnum &
>   0xff) - minor_offset);
>               }
>           }
>       } else { /* SSL2 or unknown */
>           ...
>       }
>   }}}
>   That way, if vnum > SSL_LIBRARY_VERSION_3_0 (e.g. vnum == 0x0400 e.g. TLS
>   v2.0) our code will support it with no changes.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-devel/attachments/20141110/1c218262/attachment.html>

More information about the 389-devel mailing list