[openldap/f16] fix: default cipher suite is always selected

Wed Jun 27 15:22:30 UTC 2012

commit 18c50b131ecfd21fa2d3930bdacb5d750f297b5b
Author: Jan Vcelak <jvcelak at redhat.com>
Date:   Wed Jun 27 14:10:28 2012 +0200

    fix: default cipher suite is always selected
    
    Resolves: #828790

 ...-nss-default-cipher-suite-always-selected.patch |   34 ++++++++++++++++++++
 openldap.spec                                      |    3 ++
 2 files changed, 37 insertions(+), 0 deletions(-)
---

diff --git a/openldap-nss-default-cipher-suite-always-selected.patch b/openldap-nss-default-cipher-suite-always-selected.patch
new file mode 100644
index 0000000..10c3523
--- /dev/null
+++ b/openldap-nss-default-cipher-suite-always-selected.patch
@@ -0,0 +1,34 @@
+MozNSS: default cipher suite always selected
+
+Author: Tim Strobell <tim.strobell.ctr at nrl.navy.mil>
+Upstream ITS: #7285
+Upstream commit: 2c2bb2e7aee1b2167f383a8344985a1cf66aff3f
+Resolves: #828790
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 23d843c..b608551 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -2218,12 +2218,13 @@ tlsm_deferred_ctx_init( void *arg )
+ 		return -1;
+ 	}
+ 
+- 	if ( lt->lt_ciphersuite &&
+-	     tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
+- 		Debug( LDAP_DEBUG_ANY,
+-		       "TLS: could not set cipher list %s.\n",
+-		       lt->lt_ciphersuite, 0, 0 );
+-		return -1;
++	if ( lt->lt_ciphersuite ) {
++		if ( tlsm_parse_ciphers( ctx, lt->lt_ciphersuite ) ) {
++			Debug( LDAP_DEBUG_ANY,
++			       "TLS: could not set cipher list %s.\n",
++			       lt->lt_ciphersuite, 0, 0 );
++			return -1;
++		}
+ 	} else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
+  		Debug( LDAP_DEBUG_ANY,
+ 		       "TLS: could not set cipher list DEFAULT.\n",
+-- 
+1.7.10.4
+
diff --git a/openldap.spec b/openldap.spec
index 3c9c416..91237fe 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -48,6 +48,7 @@ Patch22: openldap-ld_defconn-rebind.patch
 Patch23: openldap-nss-dont-overwrite-verify-cert-error.patch
 Patch24: openldap-nss-clean-memory-for-token-pin.patch
 Patch25: openldap-cve-nss-cipher-suite-ignored.patch
+Patch26: openldap-nss-default-cipher-suite-always-selected.patch
 
 # patches for the evolution library (see README.evolution)
 Patch200: openldap-evolution-ntlm.patch
@@ -166,6 +167,7 @@ pushd openldap-%{version}
 %patch23 -p1 -b .nss-dont-overwrite-verify-cert-error
 %patch24 -p1 -b .nss-clean-memory-for-token-pin
 %patch25 -p1 -b .cve-nss-cipher-suite-ignored
+%patch26 -p1 -b .nss-default-cipher-suite-always-selected
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 
@@ -695,6 +697,7 @@ exit 0
 - fix: TLS error messages overwriting in tlsm_verify_cert() (#810462)
 - fix: reading pin from file can make all TLS connections hang (#829317)
 - CVE-2012-2668: cipher suite selection by name can be ignored (#825875)
+- fix: default cipher suite is always selected (#828790)
 
 * Mon Mar 26 2012 Jan Synáček <jsynacek at redhat.com> 2.4.26-7
 - fix: Re-binding to a failed connection can segfault (#784989)
