ldap/schema/01core389.ldif | 5 ++- ldap/servers/slapd/ssl.c | 71 ++++++++++++++++++++++++++++++++++++++------- 2 files changed, 65 insertions(+), 11 deletions(-)
New commits: commit 6111400a7b21785823e16b1071fc29bc21542213 Author: Noriko Hosoi nhosoi@redhat.com Date: Tue May 10 14:41:10 2016 -0700
Ticket #48816 - (1.2.11 only) add a nsTLS1.0 on or off new configuration parameter to cn=encryption,cn=config in RHEL 6 389-ds-base
Description: 389-ds-base-1.2.11 has no way to disable TLS1.0. This patch is adding config params nsTLS10, nsTLS11 and nsTLS12 to cn=encryption,cn=config so that the definition of nsTLS1 remains intact if the new parameters are not specified explicitely. If nsTLS10, nsTLS11 or nsTLS12 appear in the config entry, nsTLS1 is ignored and the new parameters are added.
Default values: nsTLS1: on nsTLS10,nsTLS11,nsTLS12: ignored
Examples: cn=encryption,cn=config [no SSL version settings] ==> sslVersionMin: TLS1.0
cn=encryption,cn=config nsTLS1: on ==> sslVersionMin: TLS1.0
cn=encryption,cn=config nsTLS1: on | off nsTLS10: on ==> sslVersionMin: TLS1.0 ==> Note: nsTLS1 is ignored.
cn=encryption,cn=config nsTLS11: on ==> sslVersionMin: TLS1.1
cn=encryption,cn=config nsTLS12: on ==> sslVersionMin: TLS1.2
Special cases: If all SSL version config parameters are off, SSL fails to configure. cn=encryption,cn=config nsTLS10: off nsTLS11: off nsTLS12: off nsTLS1: off ==> SSL configuration fails. ==> Note: nsSSL3 is off by default.
cn=encryption,cn=config nsTLS10: on nsTLS12: off ==> sslVersionMin: TLS1.0 ==> Note: nsTLS12 is ignored. Even if off is set to the higher SSL version as in this example, it is not used as sslVersionMax, but it is ignored.
https://fedorahosted.org/389/ticket/48816
Thanks so much for the ideas, comments and discussions, William, Ludwig, and Mark!! Final review was made by wibrown@redhat.com (Thank you, William!!)
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif index 8f366a8..4ae6967 100644 --- a/ldap/schema/01core389.ldif +++ b/ldap/schema/01core389.ldif @@ -119,6 +119,9 @@ attributeTypes: ( nsKeyfile-oid NAME 'nsKeyfile' DESC 'Netscape defined attribut attributeTypes: ( nsSSL2-oid NAME 'nsSSL2' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsSSL3-oid NAME 'nsSSL3' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsTLS1-oid NAME 'nsTLS1' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) +attributeTypes: ( nsTLS10-oid NAME 'nsTLS10' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) +attributeTypes: ( nsTLS11-oid NAME 'nsTLS11' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) +attributeTypes: ( nsTLS12-oid NAME 'nsTLS12' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsSSLClientAuth-oid NAME 'nsSSLClientAuth' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsSSLSessionTimeout-oid NAME 'nsSSLSessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsSSL3SessionTimeout-oid NAME 'nsSSL3SessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) @@ -171,5 +174,5 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' ) -objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' ) +objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsTLS10 $ nsTLS11 $ nsTLS12 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' ) objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' ) diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index fcf7ba9..54ba16a 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -1058,6 +1058,9 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS) Slapi_Entry *e = NULL; PRBool enableSSL2 = PR_FALSE; PRBool enableSSL3 = PR_FALSE; + int enableTLS10 = -1; + int enableTLS11 = -1; + int enableTLS12 = -1; PRBool enableTLS1 = PR_TRUE; PRBool fipsMode = PR_FALSE; #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ @@ -1414,6 +1417,39 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS) } } slapi_ch_free_string( &val ); + val = slapi_entry_attr_get_charptr( e, "nsTLS10" ); + if ( val ) { + if ( !strcasecmp( val, "off" ) ) { + enableTLS10 = 0; + } else if ( !strcasecmp( val, "on" ) ) { + enableTLS10 = 1; + } else { + enableTLS10 = slapi_entry_attr_get_bool(e, "nsTLS10")?1:0; + } + } + slapi_ch_free_string( &val ); + val = slapi_entry_attr_get_charptr( e, "nsTLS11" ); + if ( val ) { + if ( !strcasecmp( val, "off" ) ) { + enableTLS11 = 0; + } else if ( !strcasecmp( val, "on" ) ) { + enableTLS11 = 1; + } else { + enableTLS11 = slapi_entry_attr_get_bool(e, "nsTLS11")?1:0; + } + } + slapi_ch_free_string( &val ); + val = slapi_entry_attr_get_charptr( e, "nsTLS12" ); + if ( val ) { + if ( !strcasecmp( val, "off" ) ) { + enableTLS12 = 0; + } else if ( !strcasecmp( val, "on" ) ) { + enableTLS12 = 1; + } else { + enableTLS12 = slapi_entry_attr_get_bool(e, "nsTLS12")?1:0; + } + } + slapi_ch_free_string( &val ); val = slapi_entry_attr_get_charptr( e, "nsTLS1" ); if ( val ) { if ( !strcasecmp( val, "off" ) ) { @@ -1430,25 +1466,40 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS) #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ if (NSSVersionMin > 0) { char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH]; + NSSVersionMax = enabledNSSVersions.max; /* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */ - if (enableTLS1) { + if ((enableTLS10 >= 0) || (enableTLS11 >= 0) || (enableTLS12 >= 0)) { + if (enableTLS10 > 0) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; + } else if (enableTLS11 > 0) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_1; + } else if (enableTLS12 > 0) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_2; + } else if (enableTLS1) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; + } else if (enableSSL3) { + NSSVersionMin = SSL_LIBRARY_VERSION_3_0; + NSSVersionMax = SSL_LIBRARY_VERSION_3_0; + } else { + slapd_SSL_error("SSL Initialization 2: all SSL version parameters are off. " + "Enable nsTLS1 or nsTLS10, nsTLS11, nsTLS12."); + return 0; + } + } else if (enableTLS1) { NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; - } else { + } else if (enableSSL3) { NSSVersionMin = SSL_LIBRARY_VERSION_3_0; NSSVersionMax = SSL_LIBRARY_VERSION_3_0; - } - if (enableSSL3) { - NSSVersionMin = SSL_LIBRARY_VERSION_3_0; - } else if (!enableTLS1) { - slapd_SSL_error("SSL Initialization 2: Both nsSSL3 and nsTLS1 are off. Enabling nsTLS1."); - NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; - NSSVersionMax = enabledNSSVersions.max; + } else { + slapd_SSL_error("SSL Initialization 2: all SSL version parameters are off. " + "Enable nsTLS1 or nsTLS10, nsTLS11, nsTLS12."); + return 0; } slapdNSSVersions.min = NSSVersionMin; slapdNSSVersions.max = NSSVersionMax; (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin)); (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax)); - slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization", + slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization", "Configured SSL version range: min: %s, max: %s\n", mymin, mymax); sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);