[openldap/f14/master] merge with "master"
jvcelak
jvcelak at fedoraproject.org
Thu Jan 20 17:11:16 UTC 2011
commit 680b775f26f0fd2b4579f56a98f557f6ea89c18d
Author: Jan Vcelak <jvcelak at redhat.com>
Date: Thu Jan 20 18:07:49 2011 +0100
merge with "master"
- fix: default encryption strength dropped in switch to using NSS
- fix: some server certificates refused with inadequate type error
Resolves: #669446, #668899
openldap-nss-cipher-suites.patch | 43 +++++++++++++++++++++++++++++++
openldap-verify-self-issued-certs.patch | 12 ++++----
openldap.spec | 4 +++
3 files changed, 53 insertions(+), 6 deletions(-)
---
diff --git a/openldap-nss-cipher-suites.patch b/openldap-nss-cipher-suites.patch
new file mode 100644
index 0000000..0be02f6
--- /dev/null
+++ b/openldap-nss-cipher-suites.patch
@@ -0,0 +1,43 @@
+Makes tls_m use the "DEFAULT" list and adds more cipher suites to the default list.
+
+Upstream ITS: #6790
+Resolves: #669446
+Author: Rich Megginson <rmeggins at redhat.com>
+
+diff -uNrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/libldap/tls_m.c
+--- openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:23:45.326428779 +0100
++++ openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:25:05.667128309 +0100
+@@ -214,7 +214,7 @@ static cipher_properties ciphers_def[] =
+
+ /* SSL3 ciphers */
+ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
+- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_NOT_ALLOWED},
++ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
+ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
+ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
+ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
+@@ -225,8 +225,8 @@ static cipher_properties ciphers_def[] =
+ /* TLSv1 ciphers */
+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
+- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_NOT_ALLOWED},
+- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_NOT_ALLOWED},
++ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
++ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
+ };
+
+ #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
+@@ -2016,7 +2016,12 @@ tlsm_deferred_ctx_init( void *arg )
+ "TLS: could not set cipher list %s.\n",
+ lt->lt_ciphersuite, 0, 0 );
+ return -1;
+- }
++ } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not set cipher list DEFAULT.\n",
++ 0, 0, 0 );
++ return -1;
++ }
+
+ if ( ctx->tc_require_cert ) {
+ request_cert = PR_TRUE;
diff --git a/openldap-verify-self-issued-certs.patch b/openldap-verify-self-issued-certs.patch
index a40abf6..4995b4c 100644
--- a/openldap-verify-self-issued-certs.patch
+++ b/openldap-verify-self-issued-certs.patch
@@ -1,12 +1,12 @@
openldap does not trust certs with Basic Constraint ext. with CA == FALSE
-Resolves: #657984
-Upstream: ITS #6742
+Resolves: #657984, #668899
+Upstream: ITS #6742, #6791
Author: Rich Megginson <rmeggins at redhat.com>
diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/libldap/tls_m.c
---- openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-06 20:24:54.401170400 +0100
-+++ openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-06 20:40:21.180097089 +0100
+--- openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:06:56.461937417 +0100
++++ openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:07:58.494922870 +0100
@@ -63,6 +63,7 @@
#include <nss/secerr.h>
#include <nss/keyhi.h>
@@ -65,7 +65,7 @@ diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/
+
+static SECStatus
+tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
-+ PRBool checksig, SECCertUsage certUsage, int errorToIgnore )
++ PRBool checksig, SECCertificateUsage certUsage, int errorToIgnore )
+{
+ CERTVerifyLog verifylog;
+ SECStatus ret = SECSuccess;
@@ -159,7 +159,7 @@ diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/
+tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
+ PRBool checksig, PRBool isServer)
+{
-+ SECCertUsage certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
++ SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
+ SECStatus ret = SECSuccess;
+
+ ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, SSL_PeerCertificate( fd ),
diff --git a/openldap.spec b/openldap.spec
index 748c4e1..5e5eda0 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -39,6 +39,9 @@ Patch106: openldap-improve-trace-messages.patch
Patch107: openldap-nss-non-blocking.patch
Patch108: openldap-verify-self-issued-certs.patch
+# patches sent upstream
+Patch109: openldap-nss-cipher-suites.patch
+
# patches for the evolution library (see README.evolution)
Patch200: openldap-evolution-ntlm.patch
@@ -148,6 +151,7 @@ pushd openldap-%{version}
%patch106 -p1 -b .improve-trace-messages
%patch107 -p1 -b .nss-non-blocking
%patch108 -p1 -b .verify-self-issued-certs
+%patch109 -p1 -b .nss-cipher-suites
cp %{_datadir}/libtool/config/config.{sub,guess} build/
More information about the scm-commits
mailing list