ldap/servers/slapd/ssl.c | 73 +++++++++++++++++++++++++++++++++++++++--------
1 file changed, 61 insertions(+), 12 deletions(-)
New commits:
commit 63309e4c86bf30720b8213bd2f486cc19327be62
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Tue May 24 11:38:32 2011 -0600
Bug 707015 - Cannot disable SSLv3 and use TLS only
https://bugzilla.redhat.com/show_bug.cgi?id=707015
Resolves: bug 707015
Bug Description: Cannot disable SSLv3 and use TLS only
Reviewed by: nkinder (Thanks!)
Branch: master
Fix Description: We had attributes in the cn=encryption,cn=config entry
for nsSSL2 and nsSSL3 but they were not being used. The way it works now
is this:
If the nsSSL3 attribute is not present, and modutil -chkfips is disabled,
SSLv3 will be enabled.
If the nsSSL3 attribute is not present, and modutil -chkfips is enabled,
SSLv3 will be disabled.
If FIPS is enabled, SSLv3 will be disabled. If the user set nsSSL3 to
"on" or boolean true, the server will print a warning message to the error
log and disable SSLv3.
If FIPS is disabled, and the nsSSL3 attribute is present, and the value
is "on" or a boolean value that evaluates to true, SSLv3 will be enabled.
If FIPS is disabled, and the nsSSL3 attribute is present, and the value
is "off" or a boolean value that evaluates to false, SSLv3 will be
disabled.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: Yes - will need to document this behavior
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index c1f8728..809a320 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -762,6 +762,10 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
int slapd_SSLclientAuth;
char* tmpDir;
Slapi_Entry *e = NULL;
+ PRBool enableSSL2 = PR_FALSE;
+ PRBool enableSSL3 = PR_TRUE;
+ PRBool enableTLS1 = PR_TRUE;
+ PRBool fipsMode = PR_FALSE;
/* turn off the PKCS11 pin interactive mode */
#ifndef _WIN32
@@ -811,6 +815,9 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
errorCode, slapd_pr_strerror(errorCode));
return -1;
}
+ fipsMode = PR_TRUE;
+ /* FIPS does not like to use SSLv3 */
+ enableSSL3 = PR_FALSE;
}
slapd_pk11_setSlotPWValues(slot, 0, 0);
@@ -1003,23 +1010,16 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
return -1;
}
- sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3, PR_TRUE);
- if (sslStatus != SECSuccess) {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Failed to enable SSLv3 "
- "on the imported socket (" SLAPI_COMPONENT_NAME_NSPR "
error %d - %s)",
- errorCode, slapd_pr_strerror(errorCode));
- }
-
- sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_TLS, PR_TRUE);
+/* Explicitly disabling SSL2 - NGK */
+ sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_SSL2, enableSSL2);
if (sslStatus != SECSuccess) {
errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Failed to enable TLS "
+ slapd_SSL_warn("Security Initialization: Failed to %s SSLv2 "
"on the imported socket (" SLAPI_COMPONENT_NAME_NSPR "
error %d - %s)",
+ enableSSL2 ? "enable" : "disable",
errorCode, slapd_pr_strerror(errorCode));
+ return -1;
}
-/* Explicitly disabling SSL2 - NGK */
- sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_SSL2, PR_FALSE);
/* Retrieve the SSL Client Authentication status from cn=config */
/* Set a default value if no value found */
@@ -1064,6 +1064,55 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
slapi_ch_free_string(&val);
}
+ if ( e != NULL ) {
+ val = slapi_entry_attr_get_charptr( e, "nsSSL3" );
+ if ( val ) {
+ if ( !strcasecmp( val, "off" ) ) {
+ enableSSL3 = PR_FALSE;
+ } else if ( !strcasecmp( val, "on" ) ) {
+ enableSSL3 = PR_TRUE;
+ } else {
+ enableSSL3 = slapi_entry_attr_get_bool( e, "nsSSL3" );
+ }
+ if ( fipsMode && enableSSL3 ) {
+ slapd_SSL_warn("Security Initialization: FIPS mode is enabled and
"
+ "nsSSL3 explicitly set to on - SSLv3 is not approved
"
+ "for use in FIPS mode - SSLv3 will be disabled - if
"
+ "you want to use SSLv3, you must use modutil to
"
+ "disable FIPS in the internal token.\n");
+ enableSSL3 = PR_FALSE;
+ }
+ }
+ slapi_ch_free_string( &val );
+ val = slapi_entry_attr_get_charptr( e, "nsTLS1" );
+ if ( val ) {
+ if ( !strcasecmp( val, "off" ) ) {
+ enableTLS1 = PR_FALSE;
+ } else if ( !strcasecmp( val, "on" ) ) {
+ enableTLS1 = PR_TRUE;
+ } else {
+ enableTLS1 = slapi_entry_attr_get_bool( e, "nsTLS1" );
+ }
+ }
+ slapi_ch_free_string( &val );
+ }
+ sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3, enableSSL3);
+ if (sslStatus != SECSuccess) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Failed to %s SSLv3 "
+ "on the imported socket (" SLAPI_COMPONENT_NAME_NSPR "
error %d - %s)",
+ enableSSL3 ? "enable" : "disable",
+ errorCode, slapd_pr_strerror(errorCode));
+ }
+
+ sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_TLS, enableTLS1);
+ if (sslStatus != SECSuccess) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Failed to %s TLSv1 "
+ "on the imported socket (" SLAPI_COMPONENT_NAME_NSPR "
error %d - %s)",
+ enableTLS1 ? "enable" : "disable",
+ errorCode, slapd_pr_strerror(errorCode));
+ }
freeConfigEntry( &e );
if(( slapd_SSLclientAuth = config_get_SSLclientAuth()) != SLAPD_SSLCLIENTAUTH_OFF )
{