ldap/servers/slapd/auth.c | 115 +++++++++++----------- ldap/servers/slapd/fedse.c | 17 ++- ldap/servers/slapd/slapi-private.h | 19 +++ ldap/servers/slapd/ssl.c | 192 +++++++++++++++++++++++++++++++++---- 4 files changed, 270 insertions(+), 73 deletions(-)
New commits: commit 8550aaf90870e75b78bb6f393f9fd4aedb68d612 Author: Noriko Hosoi nhosoi@redhat.com Date: Wed Jan 7 12:58:32 2015 -0800
Ticket #47880 - provide enabled ciphers as search result
Description: Implemented getEnabledCiphers, with which ldapsearch -b "cn=encryption,cn=config" nsSSLEnabledCiphers returns enabled cipher list. Example of returned enabled cipher dn: cn=encryption,cn=config nsSSLEnabledCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128 nsSSLEnabledCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192
Back-ported commit c675243e018a89291760161998944c04ea04b12f
https://fedorahosted.org/389/ticket/47880
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c index f8c95ce..6a8b6e6 100644 --- a/ldap/servers/slapd/fedse.c +++ b/ldap/servers/slapd/fedse.c @@ -75,6 +75,7 @@ #endif /* _WIN32 */
extern char ** getSupportedCiphers(); +extern char ** getEnabledCiphers();
/* Note: These DNs are no need to be normalized */ static const char *internal_entries[] = @@ -1693,11 +1694,12 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter struct berval *vals[2]; struct berval val; char ** cipherList = getSupportedCiphers(); /*Get the string array of supported ciphers here */ + char ** enabledCipherList = getEnabledCiphers(); /*Get the string array of enabled ciphers here */ vals[0] = &val; vals[1] = NULL;
attrlist_delete ( &entry->e_attrs, "nsSSLSupportedCiphers"); - while (*cipherList) /* iterarate thru each of them and add to the attr value */ + while (cipherList && *cipherList) /* iterarate thru each of them and add to the attr value */ { char *cipher = *cipherList; val.bv_val = (char* ) cipher; @@ -1706,6 +1708,16 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter cipherList++; }
+ attrlist_delete ( &entry->e_attrs, "nsSSLEnabledCiphers"); + while (enabledCipherList && *enabledCipherList) /* iterarate thru each of them and add to the attr value */ + { + char *cipher = *enabledCipherList; + val.bv_val = (char* ) cipher; + val.bv_len = strlen ( val.bv_val ); + attrlist_merge ( &entry->e_attrs, "nsSSLEnabledCiphers", vals); + enabledCipherList++; + } + return SLAPI_DSE_CALLBACK_OK; }
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index 23fa620..c30ebd6 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -128,6 +128,7 @@ static char * configDN = "cn=encryption,cn=config";
static char **cipher_names = NULL; +static char **enabled_cipher_names = NULL; typedef struct { char *version; char *name; @@ -220,7 +221,8 @@ slapd_SSL_warn(char *fmt, ...) va_end(args); }
-char ** getSupportedCiphers() +char ** +getSupportedCiphers() { SSLCipherSuiteInfo info; char *sep = "::"; @@ -242,6 +244,44 @@ char ** getSupportedCiphers() return cipher_names; }
+char ** +getEnabledCiphers() +{ + SSLCipherSuiteInfo info; + char *sep = "::"; + int number_of_ciphers = 0; + int x; + int idx = 0; + PRBool enabled; + + /* We have to wait until the SSL initialization is done. */ + if (!slapd_ssl_listener_is_initialized()) { + return NULL; + } + if ((enabled_cipher_names == NULL)) { + for (x = 0; _conf_ciphers[x].name; x++) { + SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled); + if (enabled) { + number_of_ciphers++; + } + } + enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *)); + for (x = 0; _conf_ciphers[x].name; x++) { + SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled); + if (enabled) { + SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info)); + enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d", + _conf_ciphers[x].name,sep, + info.symCipherName,sep, + info.macAlgorithmName,sep, + info.symKeyBits); + } + } + } + + return enabled_cipher_names; +} + static PRBool cipher_check_fips(int idx, char ***suplist, char ***unsuplist) {
commit d62b281480c4c17438a6541c150bdb1e80abf14f Author: Noriko Hosoi nhosoi@redhat.com Date: Wed Jan 7 11:35:32 2015 -0800
Ticket #47945 - Add SSL/TLS version info to the access log
Description: Added the currently used SSL library version info per connection to the access log. Sample output: SSL [..] conn=3 fd=64 slot=64 SSL connection from ::1 to ::1 [..] conn=3 TLS1.2 128-bit AES-GCM
startTLS [..] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [..] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [..] conn=4 TLS1.2 128-bit AES-GCM
To convert the SSL version number to string (e.g., SSL_LIBRARY_VERSION_ TLS_1_2 --> "TLS1.2"), instead of maintaining a mapping table, this patch calculates the number and generates the version string.
Back-ported commit a2e0de3aa90f04593427628afeb7fe090dac93fb
https://fedorahosted.org/389/ticket/47945
diff --git a/ldap/servers/slapd/auth.c b/ldap/servers/slapd/auth.c index 4976406..73f6c0e 100644 --- a/ldap/servers/slapd/auth.c +++ b/ldap/servers/slapd/auth.c @@ -433,6 +433,7 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData) SSLChannelInfo channelInfo; SSLCipherSuiteInfo cipherInfo; char* subject = NULL; + char sslversion[64];
if ( (slapd_ssl_getChannelInfo (prfd, &channelInfo, sizeof(channelInfo))) != SECSuccess ) { PRErrorCode errorCode = PR_GetError(); @@ -465,59 +466,63 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData) } }
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion)); if (config_get_SSLclientAuth() == SLAPD_SSLCLIENTAUTH_OFF ) { - slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n", - conn->c_connid, keySize, cipher ? cipher : "NULL" ); + slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n", + (long long unsigned int)conn->c_connid, + sslversion, keySize, cipher ? cipher : "NULL" ); goto done; - } + } if (clientCert == NULL) { - slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n", - conn->c_connid, keySize, cipher ? cipher : "NULL" ); + slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n", + (long long unsigned int)conn->c_connid, + sslversion, keySize, cipher ? cipher : "NULL" ); } else { - subject = subject_of (clientCert); - if (!subject) { - slapi_log_access( LDAP_DEBUG_STATS, - "conn=%" NSPRIu64 " SSL %i-bit %s; missing subject\n", - conn->c_connid, keySize, cipher ? cipher : "NULL"); - goto done; - } - { - char* issuer = issuer_of (clientCert); - char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ]; - slapi_log_access( LDAP_DEBUG_STATS, - "conn=%" NSPRIu64 " SSL %i-bit %s; client %s; issuer %s\n", - conn->c_connid, keySize, cipher ? cipher : "NULL", - subject ? escape_string( subject, sbuf ) : "NULL", - issuer ? escape_string( issuer, ibuf ) : "NULL"); - if (issuer) free (issuer); - } - slapi_dn_normalize (subject); - { - LDAPMessage* chain = NULL; - char *basedn = config_get_basedn(); - int err; - - err = ldapu_cert_to_ldap_entry - (clientCert, internal_ld, basedn?basedn:""/*baseDN*/, &chain); - if (err == LDAPU_SUCCESS && chain) { - LDAPMessage* entry = slapu_first_entry (internal_ld, chain); - if (entry) { - /* clientDN is duplicated in slapu_get_dn */ - clientDN = slapu_get_dn (internal_ld, entry); - } else { - - extraErrorMsg = "no entry"; - LDAPDebug (LDAP_DEBUG_TRACE, "<= ldapu_cert_to_ldap_entry() %s\n", - extraErrorMsg, 0, 0); - } - } else { - extraErrorMsg = ldapu_err2string(err); - LDAPDebug (LDAP_DEBUG_TRACE, "<= ldapu_cert_to_ldap_entry() %i (%s)%s\n", - err, extraErrorMsg, chain ? "" : " NULL"); - } - slapi_ch_free_string(&basedn); - slapu_msgfree (internal_ld, chain); - } + subject = subject_of (clientCert); + if (!subject) { + slapi_log_access( LDAP_DEBUG_STATS, + "conn=%" NSPRIu64 " %s %i-bit %s; missing subject\n", + (long long unsigned int)conn->c_connid, + sslversion, keySize, cipher ? cipher : "NULL"); + goto done; + } + { + char* issuer = issuer_of (clientCert); + char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ]; + slapi_log_access( LDAP_DEBUG_STATS, + "conn=%" NSPRIu64 " %s %i-bit %s; client %s; issuer %s\n", + (long long unsigned int)conn->c_connid, + sslversion, keySize, cipher ? cipher : "NULL", + subject ? escape_string( subject, sbuf ) : "NULL", + issuer ? escape_string( issuer, ibuf ) : "NULL"); + if (issuer) free (issuer); + } + slapi_dn_normalize (subject); + { + LDAPMessage* chain = NULL; + char *basedn = config_get_basedn(); + int err; + + err = ldapu_cert_to_ldap_entry + (clientCert, internal_ld, basedn?basedn:""/*baseDN*/, &chain); + if (err == LDAPU_SUCCESS && chain) { + LDAPMessage* entry = slapu_first_entry (internal_ld, chain); + if (entry) { + /* clientDN is duplicated in slapu_get_dn */ + clientDN = slapu_get_dn (internal_ld, entry); + } else { + extraErrorMsg = "no entry"; + LDAPDebug (LDAP_DEBUG_TRACE, "<= ldapu_cert_to_ldap_entry() %s\n", + extraErrorMsg, 0, 0); + } + } else { + extraErrorMsg = ldapu_err2string(err); + LDAPDebug (LDAP_DEBUG_TRACE, "<= ldapu_cert_to_ldap_entry() %i (%s)%s\n", + err, extraErrorMsg, chain ? "" : " NULL"); + } + slapi_ch_free_string(&basedn); + slapu_msgfree (internal_ld, chain); + } }
if (clientDN != NULL) { @@ -525,14 +530,16 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData) sdn = slapi_sdn_new_dn_passin(clientDN); clientDN = slapi_ch_strdup(slapi_sdn_get_dn(sdn)); slapi_sdn_free(&sdn); - slapi_log_access (LDAP_DEBUG_STATS, - "conn=%" NSPRIu64 " SSL client bound as %s\n", - conn->c_connid, clientDN); + slapi_log_access (LDAP_DEBUG_STATS, + "conn=%" NSPRIu64 " %s client bound as %s\n", + (long long unsigned int)conn->c_connid, + sslversion, clientDN); } else if (clientCert != NULL) { slapi_log_access (LDAP_DEBUG_STATS, - "conn=%" NSPRIu64 " SSL failed to map client " + "conn=%" NSPRIu64 " %s failed to map client " "certificate to LDAP DN (%s)\n", - conn->c_connid, extraErrorMsg ); + (long long unsigned int)conn->c_connid, + sslversion, extraErrorMsg); }
/* diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h index 8507f47..18f0e94 100644 --- a/ldap/servers/slapd/slapi-private.h +++ b/ldap/servers/slapd/slapi-private.h @@ -1278,6 +1278,25 @@ void modify_update_last_modified_attr(Slapi_PBlock *pb, Slapi_Mods *smods); /* add.c */ void add_internal_modifiersname(Slapi_PBlock *pb, Slapi_Entry *e);
+/* ssl.c */ +/* + * If non NULL buf and positive bufsize is given, + * the memory is used to store the version string. + * Otherwise, the memory for the string is allocated. + * The latter case, caller is responsible to free it. + */ +/* vnum is supposed to be in one of the following: + * nss3/sslproto.h + * #define SSL_LIBRARY_VERSION_2 0x0002 + * #define SSL_LIBRARY_VERSION_3_0 0x0300 + * #define SSL_LIBRARY_VERSION_TLS_1_0 0x0301 + * #define SSL_LIBRARY_VERSION_TLS_1_1 0x0302 + * #define SSL_LIBRARY_VERSION_TLS_1_2 0x0303 + * #define SSL_LIBRARY_VERSION_TLS_1_3 0x0304 + * ... + */ +char *slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize); + #ifdef __cplusplus } #endif
commit 17fc03cf1101135b99234f17efd3eb746626be1a Author: Noriko Hosoi nhosoi@redhat.com Date: Tue Jan 6 16:23:35 2015 -0800
Ticket #47928 - Disable SSL v3, by default [389-ds-base-1.2.11 only]
Description: [fedse.c] By default, nsSSL3 is set to off and nsTLS1 is on in cn=encryption,cn=config. [ssl.c] Back-ported SSLVersionRange from the master branch, but no new range parameter support in the config. If nsSSL3 is explicitely set to on, SSL_LIBRARY_VERSION_3_0 is set to the minimum ssl version. Otherwise, SSL_LIBRARY_VERSION_TLS_1_0 becomes the minimum version. The max available version is set to the maximum ssl version.
On this version, there is no way to disable TLS1.0 and enable TLS1.1 and newer. If nsTLS1 is on, all TLS1.X are enabled.
Note: This patch covers Ticket #605 - support TLS 1.1, as well.
https://fedorahosted.org/389/ticket/47928
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c index dbfba16..f8c95ce 100644 --- a/ldap/servers/slapd/fedse.c +++ b/ldap/servers/slapd/fedse.c @@ -107,7 +107,8 @@ static const char *internal_entries[] = "nsSSLSessionTimeout:0\n" "nsSSLClientAuth:allowed\n" "nsSSL2:off\n" - "nsSSL3:off\n", + "nsSSL3:off\n" + "nsTLS1:on\n",
"dn:cn=monitor\n" "objectclass:top\n" diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index bbadf93..23fa620 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -79,6 +79,24 @@ #define MAXPATHLEN 1024 #endif
+#if NSS_VMAJOR * 100 + NSS_VMINOR >= 315 +/* TLS1.2 is defined in RFC5246. */ +#define NSS_TLS12 1 +#elif NSS_VMAJOR * 100 + NSS_VMINOR >= 314 +/* TLS1.1 is defined in RFC4346. */ +#define NSS_TLS11 1 +#else +#define NSS_TLS10 1 +#endif + +#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ +static SSLVersionRange enabledNSSVersions; +static SSLVersionRange slapdNSSVersions; +#endif + +/* E.g., "SSL3", "TLS1.2", "Unknown SSL version: 0x0" */ +#define VERSION_STR_LENGTH 64 + extern char* slapd_SSL3ciphers; extern symbol_t supported_ciphers[];
@@ -165,6 +183,12 @@ static cipherstruct _conf_ciphers[] = { /*{"TLS","tls_dhe_dss_1024_des_sha", TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA}, */ {"TLS","tls_dhe_dss_1024_rc4_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA}, {"TLS","tls_dhe_dss_rc4_128_sha", TLS_DHE_DSS_WITH_RC4_128_SHA}, +#if defined(NSS_TLS12) + /* New in NSS 3.15 */ + {"tls_rsa_aes_128_gcm_sha", "TLS_RSA_WITH_AES_128_GCM_SHA256"}, + {"tls_dhe_rsa_aes_128_gcm_sha", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"}, + {"tls_dhe_dss_aes_128_gcm_sha", NULL}, /* not available */ +#endif {NULL, NULL, 0} };
@@ -524,6 +548,54 @@ warn_if_no_key_file(const char *dir, int no_log) return ret; }
+#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ +/* + * If non NULL buf and positive bufsize is given, + * the memory is used to store the version string. + * Otherwise, the memory for the string is allocated. + * The latter case, caller is responsible to free it. + */ +char * +slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize) +{ + char *vstr = buf; + if (vnum >= SSL_LIBRARY_VERSION_3_0) { + if (vnum == SSL_LIBRARY_VERSION_3_0) { /* SSL3 */ + if (buf && bufsize) { + PR_snprintf(buf, bufsize, "SSL3"); + } else { + vstr = slapi_ch_smprintf("SSL3"); + } + } else { /* TLS v X.Y */ + const char *TLSFMT = "TLS%d.%d"; + int minor_offset = 0; /* e.g. 0x0401 -> TLS v 2.1, not 2.0 */ + + if ((vnum & SSL_LIBRARY_VERSION_3_0) == SSL_LIBRARY_VERSION_3_0) { + minor_offset = 1; /* e.g. 0x0301 -> TLS v 1.0, not 1.1 */ + } + if (buf && bufsize) { + PR_snprintf(buf, bufsize, TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset); + } else { + vstr = slapi_ch_smprintf(TLSFMT, (vnum >> 8) - 2, (vnum & 0xff) - minor_offset); + } + } + } else if (vnum == SSL_LIBRARY_VERSION_2) { /* SSL2 */ + if (buf && bufsize) { + PR_snprintf(buf, bufsize, "SSL2"); + } else { + vstr = slapi_ch_smprintf("SSL2"); + } + } else { + if (buf && bufsize) { + PR_snprintf(buf, bufsize, "Unknown SSL version: 0x%x", vnum); + } else { + vstr = slapi_ch_smprintf("Unknown SSL version: 0x%x", vnum); + } + } + return vstr; +} +#endif + /* * slapd_nss_init() is always called from main(), even if we do not * plan to listen on a secure port. If config_available is 0, the @@ -548,6 +620,17 @@ slapd_nss_init(int init_ssl, int config_available) char *certdb_file_name = NULL; char *keydb_file_name = NULL; char *secmoddb_file_name = NULL; +#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ + char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH]; + /* Get the range of the supported SSL version */ + SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions); + + (void) slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin)); + (void) slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax)); + slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization", + "supported range by NSS: min: %s, max: %s\n", + emin, emax); +#endif
/* set in slapd_bootstrap_config, thus certdir is available even if config_available is false */ @@ -879,9 +962,13 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS) char* tmpDir; Slapi_Entry *e = NULL; PRBool enableSSL2 = PR_FALSE; - PRBool enableSSL3 = PR_TRUE; + PRBool enableSSL3 = PR_FALSE; PRBool enableTLS1 = PR_TRUE; PRBool fipsMode = PR_FALSE; +#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ + PRUint16 NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; + PRUint16 NSSVersionMax = enabledNSSVersions.max; +#endif
/* turn off the PKCS11 pin interactive mode */ #ifndef _WIN32 @@ -1226,23 +1313,54 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS) } slapi_ch_free_string( &val ); } - sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3, enableSSL3); - if (sslStatus != SECSuccess) { - errorCode = PR_GetError(); - slapd_SSL_warn("Security Initialization: Failed to %s SSLv3 " - "on the imported socket (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - enableSSL3 ? "enable" : "disable", - errorCode, slapd_pr_strerror(errorCode)); - } +#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ + if (NSSVersionMin > 0) { + char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH]; + /* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */ + if (enableTLS1) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; + } + if (enableSSL3) { + NSSVersionMin = SSL_LIBRARY_VERSION_3_0; + } + slapdNSSVersions.min = NSSVersionMin; + slapdNSSVersions.max = NSSVersionMax; + (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin)); + (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax)); + slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization", + "Configured SSL version range: min: %s, max: %s\n", + mymin, mymax); + sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions); + if (sslStatus == SECSuccess) { + /* Set the restricted value to the cn=encryption entry */ + } else { + slapd_SSL_error("SSL Initialization 2: " + "Failed to set SSL range: min: %s, max: %s\n", + mymin, mymax); + } + } else { +#endif + /* deprecated code */ + sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3, enableSSL3); + if (sslStatus != SECSuccess) { + errorCode = PR_GetError(); + slapd_SSL_warn("Security Initialization: Failed to %s SSLv3 " + "on the imported socket (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", + enableSSL3 ? "enable" : "disable", + errorCode, slapd_pr_strerror(errorCode)); + }
- sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_TLS, enableTLS1); - if (sslStatus != SECSuccess) { - errorCode = PR_GetError(); - slapd_SSL_warn("Security Initialization: Failed to %s TLSv1 " - "on the imported socket (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - enableTLS1 ? "enable" : "disable", - errorCode, slapd_pr_strerror(errorCode)); + sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_TLS, enableTLS1); + if (sslStatus != SECSuccess) { + errorCode = PR_GetError(); + slapd_SSL_warn("Security Initialization: Failed to %s TLSv1 " + "on the imported socket (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", + enableTLS1 ? "enable" : "disable", + errorCode, slapd_pr_strerror(errorCode)); + } +#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ } +#endif freeConfigEntry( &e );
if(( slapd_SSLclientAuth = config_get_SSLclientAuth()) != SLAPD_SSLCLIENTAUTH_OFF ) {
389-commits@lists.fedoraproject.org