[389-devel] Please review (take 5): [389 Project] #47945: Add SSL/TLS version info to the access log
Noriko Hosoi
nhosoi at redhat.com
Mon Nov 10 22:15:09 UTC 2014
https://fedorahosted.org/389/ticket/47945
https://fedorahosted.org/389/attachment/ticket/47945/0001-Ticket-47945-Add-SSL-TLS-version-info-to-the-access-.5.patch
git patch file (master) -- applied the change in comment:11
<https://fedorahosted.org/389/ticket/47945#comment:11> by Rich. Thank you!!
Once approved, I'm going to attach the code slapi_getSSLVersion_str to
this bug...
*Bug 1161807* <https://bugzilla.redhat.com/show_bug.cgi?id=1161807>
-[RFE] API to convert SSL version number to SSL version string
--noriko
On 11/10/2014 01:10 PM, 389 Project wrote:
> #47945: Add SSL/TLS version info to the access log
> -------------------------------------------------+-------------------------
> Reporter: nhosoi | Owner: nhosoi
> Type: defect | Status:
> Priority: major | accepted
> Component: Directory Server | Milestone: 1.3.3
> Resolution: | backlog
> Blocked By: | Version: 1.3.0
> Review: review? | Keywords:
> Red Hat Bugzilla: | Blocking:
> [https://bugzilla.redhat.com/show_bug.cgi?id=1153737| Ticket origin:
> 1153737] | Community
> -------------------------------------------------+-------------------------
>
> Comment (by rmeggins):
>
> Thanks. Almost there
> {{{
> if ((vnum & SSL_LIBRARY_VERSION_3_0) == SSL_LIBRARY_VERSION_3_0) {
> ...
> }}}
> This will only work for TLSv1.x. I would like to see support for TLSv2.x
> and later, something like this:
> {{{
> if (vnum >= SSL_LIBRARY_VERSION_3_0) {
> if (vnum == SSL_LIBRARY_VERSION_3_0) { /* SSL3 */
> if (buf && bufsize) {
> PR_snprintf(buf, bufsize, "SSL3");
> } else {
> vstr = slapi_ch_smprintf("SSL3");
> }
> } else { /* TLS v X.Y */
> const char *TLSFMT = "TLS%d.%d";
> int minor_offset = 0; /* e.g. 0x0401 -> TLS v 2.1, not 2.0 */
>
> if ((vnum & SSL_LIBRARY_VERSION_3_0) ==
> SSL_LIBRARY_VERSION_3_0) {
> minor_offset = 1; /* e.g. 0x0301 -> TLS v 1.0, not 1.1 */
> }
> if (buf && bufsize) {
> PR_snprintf(buf, bufsize, TLSFMT, (vnum >> 8) - 2, (vnum &
> 0xff) - minor_offset);
> } else {
> vstr = slapi_ch_smprintf(TLSFMT, (vnum >> 8) - 2, (vnum &
> 0xff) - minor_offset);
> }
> }
> } else { /* SSL2 or unknown */
> ...
> }
> }}}
> That way, if vnum > SSL_LIBRARY_VERSION_3_0 (e.g. vnum == 0x0400 e.g. TLS
> v2.0) our code will support it with no changes.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-devel/attachments/20141110/1c218262/attachment.html>
More information about the 389-devel
mailing list