ldap/schema/01core389.ldif | 5 ++-
ldap/servers/slapd/ssl.c | 71 ++++++++++++++++++++++++++++++++++++++-------
2 files changed, 65 insertions(+), 11 deletions(-)
New commits:
commit 6111400a7b21785823e16b1071fc29bc21542213
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue May 10 14:41:10 2016 -0700
Ticket #48816 - (1.2.11 only) add a nsTLS1.0 on or off new configuration parameter to
cn=encryption,cn=config in RHEL 6 389-ds-base
Description: 389-ds-base-1.2.11 has no way to disable TLS1.0. This patch is
adding config params nsTLS10, nsTLS11 and nsTLS12 to cn=encryption,cn=config
so that the definition of nsTLS1 remains intact if the new parameters are not
specified explicitely. If nsTLS10, nsTLS11 or nsTLS12 appear in the config
entry, nsTLS1 is ignored and the new parameters are added.
Default values:
nsTLS1: on
nsTLS10,nsTLS11,nsTLS12: ignored
Examples:
cn=encryption,cn=config
[no SSL version settings]
==> sslVersionMin: TLS1.0
cn=encryption,cn=config
nsTLS1: on
==> sslVersionMin: TLS1.0
cn=encryption,cn=config
nsTLS1: on | off
nsTLS10: on
==> sslVersionMin: TLS1.0
==> Note: nsTLS1 is ignored.
cn=encryption,cn=config
nsTLS11: on
==> sslVersionMin: TLS1.1
cn=encryption,cn=config
nsTLS12: on
==> sslVersionMin: TLS1.2
Special cases:
If all SSL version config parameters are off, SSL fails to configure.
cn=encryption,cn=config
nsTLS10: off
nsTLS11: off
nsTLS12: off
nsTLS1: off
==> SSL configuration fails.
==> Note: nsSSL3 is off by default.
cn=encryption,cn=config
nsTLS10: on
nsTLS12: off
==> sslVersionMin: TLS1.0
==> Note: nsTLS12 is ignored.
Even if off is set to the higher SSL version as in this example,
it is not used as sslVersionMax, but it is ignored.
https://fedorahosted.org/389/ticket/48816
Thanks so much for the ideas, comments and discussions, William, Ludwig, and Mark!!
Final review was made by wibrown(a)redhat.com (Thank you, William!!)
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index 8f366a8..4ae6967 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -119,6 +119,9 @@ attributeTypes: ( nsKeyfile-oid NAME 'nsKeyfile' DESC
'Netscape defined attribut
attributeTypes: ( nsSSL2-oid NAME 'nsSSL2' DESC 'Netscape defined attribute
type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSL3-oid NAME 'nsSSL3' DESC 'Netscape defined attribute
type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsTLS1-oid NAME 'nsTLS1' DESC 'Netscape defined attribute
type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( nsTLS10-oid NAME 'nsTLS10' DESC 'Netscape defined attribute
type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( nsTLS11-oid NAME 'nsTLS11' DESC 'Netscape defined attribute
type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( nsTLS12-oid NAME 'nsTLS12' DESC 'Netscape defined attribute
type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLClientAuth-oid NAME 'nsSSLClientAuth' DESC 'Netscape
defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
'Netscape' )
attributeTypes: ( nsSSLSessionTimeout-oid NAME 'nsSSLSessionTimeout' DESC
'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
'Netscape' )
attributeTypes: ( nsSSL3SessionTimeout-oid NAME 'nsSSL3SessionTimeout' DESC
'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
'Netscape' )
@@ -171,5 +174,5 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME
'nsDS5ReplicationAgreement' DESC
objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape
defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server'
)
objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC
'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $
nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) X-ORIGIN 'Netscape Directory
Server' )
objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape
defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $
nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $
nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC
'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $
nsSSL2 $ nsSSL3 $ nsTLS1 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $
nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN
'Netscape' )
+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC
'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $
nsSSL2 $ nsSSL3 $ nsTLS1 $ nsTLS10 $ nsTLS11 $ nsTLS12 $ nsSSLSessionTimeout $
nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $
nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' )
objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC
'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $
nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' )
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index fcf7ba9..54ba16a 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1058,6 +1058,9 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
Slapi_Entry *e = NULL;
PRBool enableSSL2 = PR_FALSE;
PRBool enableSSL3 = PR_FALSE;
+ int enableTLS10 = -1;
+ int enableTLS11 = -1;
+ int enableTLS12 = -1;
PRBool enableTLS1 = PR_TRUE;
PRBool fipsMode = PR_FALSE;
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
@@ -1414,6 +1417,39 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
}
}
slapi_ch_free_string( &val );
+ val = slapi_entry_attr_get_charptr( e, "nsTLS10" );
+ if ( val ) {
+ if ( !strcasecmp( val, "off" ) ) {
+ enableTLS10 = 0;
+ } else if ( !strcasecmp( val, "on" ) ) {
+ enableTLS10 = 1;
+ } else {
+ enableTLS10 = slapi_entry_attr_get_bool(e, "nsTLS10")?1:0;
+ }
+ }
+ slapi_ch_free_string( &val );
+ val = slapi_entry_attr_get_charptr( e, "nsTLS11" );
+ if ( val ) {
+ if ( !strcasecmp( val, "off" ) ) {
+ enableTLS11 = 0;
+ } else if ( !strcasecmp( val, "on" ) ) {
+ enableTLS11 = 1;
+ } else {
+ enableTLS11 = slapi_entry_attr_get_bool(e, "nsTLS11")?1:0;
+ }
+ }
+ slapi_ch_free_string( &val );
+ val = slapi_entry_attr_get_charptr( e, "nsTLS12" );
+ if ( val ) {
+ if ( !strcasecmp( val, "off" ) ) {
+ enableTLS12 = 0;
+ } else if ( !strcasecmp( val, "on" ) ) {
+ enableTLS12 = 1;
+ } else {
+ enableTLS12 = slapi_entry_attr_get_bool(e, "nsTLS12")?1:0;
+ }
+ }
+ slapi_ch_free_string( &val );
val = slapi_entry_attr_get_charptr( e, "nsTLS1" );
if ( val ) {
if ( !strcasecmp( val, "off" ) ) {
@@ -1430,25 +1466,40 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
if (NSSVersionMin > 0) {
char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
+ NSSVersionMax = enabledNSSVersions.max;
/* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */
- if (enableTLS1) {
+ if ((enableTLS10 >= 0) || (enableTLS11 >= 0) || (enableTLS12 >= 0)) {
+ if (enableTLS10 > 0) {
+ NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
+ } else if (enableTLS11 > 0) {
+ NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_1;
+ } else if (enableTLS12 > 0) {
+ NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_2;
+ } else if (enableTLS1) {
+ NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
+ } else if (enableSSL3) {
+ NSSVersionMin = SSL_LIBRARY_VERSION_3_0;
+ NSSVersionMax = SSL_LIBRARY_VERSION_3_0;
+ } else {
+ slapd_SSL_error("SSL Initialization 2: all SSL version parameters
are off. "
+ "Enable nsTLS1 or nsTLS10, nsTLS11,
nsTLS12.");
+ return 0;
+ }
+ } else if (enableTLS1) {
NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
- } else {
+ } else if (enableSSL3) {
NSSVersionMin = SSL_LIBRARY_VERSION_3_0;
NSSVersionMax = SSL_LIBRARY_VERSION_3_0;
- }
- if (enableSSL3) {
- NSSVersionMin = SSL_LIBRARY_VERSION_3_0;
- } else if (!enableTLS1) {
- slapd_SSL_error("SSL Initialization 2: Both nsSSL3 and nsTLS1 are off.
Enabling nsTLS1.");
- NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
- NSSVersionMax = enabledNSSVersions.max;
+ } else {
+ slapd_SSL_error("SSL Initialization 2: all SSL version parameters are
off. "
+ "Enable nsTLS1 or nsTLS10, nsTLS11, nsTLS12.");
+ return 0;
}
slapdNSSVersions.min = NSSVersionMin;
slapdNSSVersions.max = NSSVersionMax;
(void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
(void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
- slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization",
+ slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
"Configured SSL version range: min: %s, max: %s\n",
mymin, mymax);
sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);