[mozldap/f19] Disable SSL3
Noriko Hosoi
nhosoi at fedoraproject.org
Tue Nov 4 18:15:38 UTC 2014
commit 8e7e6690ef0486a98626125912af5d610277ddd1
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Mon Nov 3 14:57:04 2014 -0800
Disable SSL3
- Support TLS 1.1 and newer using the NSS Version Range APIs.
(cherry picked from commit e151b116410feab82847740693f55233a19c8661)
(cherry picked from commit 925ed2b4a0ab79b7e10071947f5e02f0ed0e9bb1)
(cherry picked from commit 5c29819a1ddf10648249a023d468f089739219ee)
mozldap.spec | 8 ++-
support-tls1.1-and-later.patch | 165 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 172 insertions(+), 1 deletions(-)
---
diff --git a/mozldap.spec b/mozldap.spec
index d7beec8..e515b82 100644
--- a/mozldap.spec
+++ b/mozldap.spec
@@ -13,7 +13,7 @@
Summary: Mozilla LDAP C SDK
Name: mozldap
Version: %{major}.%{minor}.%{submin}
-Release: 10%{?dist}
+Release: 11%{?dist}
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/directory/csdk.html
Group: System Environment/Libraries
@@ -28,6 +28,7 @@ BuildRequires: gcc-c++
BuildRequires: cyrus-sasl-devel
Source0: ftp://ftp.mozilla.org/pub/mozilla.org/directory/c-sdk/releases/v%{version}/src/%{name}-%{version}.tar.gz
+Patch0: support-tls1.1-and-later.patch
%description
The Mozilla LDAP C SDK is a set of libraries that
@@ -65,6 +66,7 @@ Header and Library files for doing development with the Mozilla LDAP C SDK
%prep
%setup -q
+%patch0 -p1
%build
cd mozilla/directory/c-sdk
@@ -186,6 +188,10 @@ cp -r mozilla/directory/c-sdk/ldap/examples $RPM_BUILD_ROOT%{_datadir}/%{name}
%{_datadir}/%{name}
%changelog
+* Mon Nov 3 2014 Noriko Hosoi <nhosoi at redhat.com> - 6.0.5-11
+- Disable SSL3
+- Support TLS 1.1 and newer using the NSS Version Range APIs.
+
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 6.0.5-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
diff --git a/support-tls1.1-and-later.patch b/support-tls1.1-and-later.patch
new file mode 100644
index 0000000..a265f0d
--- /dev/null
+++ b/support-tls1.1-and-later.patch
@@ -0,0 +1,165 @@
+--- mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c.orig 2006-10-10 06:37:35.000000000 -0700
++++ mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c 2014-11-03 14:18:59.908337004 -0800
+@@ -59,8 +59,9 @@
+ #endif /* OSF1V4D */
+
+ #include <errno.h>
+ #include <nspr.h>
++#include <nss.h>
+ #include <cert.h>
+ #include <key.h>
+ #include <ssl.h>
+ #include <sslproto.h>
+@@ -70,8 +71,21 @@
+ #include <ldap.h>
+ #include <ldap_ssl.h>
+ #include <ldappr.h>
+ #include <pk11func.h>
++
++#if NSS_VMAJOR * 100 + NSS_VMINOR >= 314
++/* TLS1.1 is defined in RFC4346. */
++#define NSS_TLS11 1
++static SSLVersionRange enabledNSSVersions;
++static SSLVersionRange ldapNSSVersions;
++#else
++/*
++ * * TLS1.0 is defined in RFC2246.
++ * * Close to SSL 3.0.
++ * */
++#define NSS_TLS10 1
++#endif
+
+ /*
+ * Macro that determines how many SSL options we support. As of June, 2002
+ * NSS supports 14 options numbered 1-14 (see nss/ssl.h). We allow some
+@@ -247,8 +261,20 @@
+ PRLDAPSocketInfo soi;
+ LDAPSSLSocketInfo *ssoip = NULL;
+ LDAPSSLSessionInfo *sseip;
+ PRFileDesc *sslfd = NULL;
++#if defined(NSS_TLS11)
++ SECStatus sslStatus = SECSuccess;
++ char *s = getenv("LDAPSSL_ALLOW_OLD_SSL_VERSION");
++ /* Get the range of the supported SSL version */
++ SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
++ if (s) {
++ ldapNSSVersions.min = enabledNSSVersions.min;
++ } else {
++ ldapNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
++ }
++ ldapNSSVersions.max = enabledNSSVersions.max;
++#endif
+
+ /*
+ * Determine if secure option is set. Also, clear secure bit in options
+ * the we pass to the standard connect() function (since it doesn't know
+@@ -305,9 +331,18 @@
+ if (( sslfd = SSL_ImportFD( NULL, soi.soinfo_prfd )) == NULL ) {
+ goto close_socket_and_exit_with_error;
+ }
+
++#if defined(NSS_TLS11)
++ sslStatus = SSL_VersionRangeSet(sslfd, &ldapNSSVersions);
++ if (sslStatus != SECSuccess) {
++ goto close_socket_and_exit_with_error;
++ }
++#endif
+ if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
++#if defined(NSS_TLS10)
++ SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) ||
++#endif
+ SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure )
+ != SECSuccess || ( secure && SSL_ResetHandshake( sslfd,
+ PR_FALSE ) != SECSuccess )) {
+ goto close_socket_and_exit_with_error;
+@@ -505,8 +540,20 @@
+ LBER_SOCKET intfd = -1;
+ int rc = LDAP_LOCAL_ERROR;
+ char *hostlist = NULL;
+ struct lextiof_socket_private *socketargp = NULL;
++#if defined(NSS_TLS11)
++ SECStatus sslStatus = SECSuccess;
++ char *s = getenv("LDAPSSL_ALLOW_OLD_SSL_VERSION");
++ /* Get the range of the supported SSL version */
++ SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
++ if (s) {
++ ldapNSSVersions.min = enabledNSSVersions.min;
++ } else {
++ ldapNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
++ }
++ ldapNSSVersions.max = enabledNSSVersions.max;
++#endif
+
+ /*
+ * Get hostlist from LDAP Handle
+ */
+@@ -570,10 +617,18 @@
+ rc = LDAP_LOCAL_ERROR;
+ goto close_socket_and_exit_with_error;
+ }
+
++#if defined(NSS_TLS11)
++ sslStatus = SSL_VersionRangeSet(sslfd, &ldapNSSVersions);
++ if (sslStatus != SECSuccess) {
++ goto close_socket_and_exit_with_error;
++ }
++#endif
+ if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
+- SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) != SECSuccess ||
++#if defined(NSS_TLS10)
++ SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) != SECSuccess ||
++#endif
+ SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure ) != SECSuccess ||
+ ( secure && SSL_ResetHandshake( sslfd, PR_FALSE ) != SECSuccess ) ) {
+ rc = LDAP_LOCAL_ERROR;
+ goto close_socket_and_exit_with_error;
+@@ -1350,13 +1405,25 @@
+ PRLDAPSocketInfo soi;
+ LDAPSSLSocketInfo *ssoip = NULL;
+ LDAPSSLSessionInfo *sseip;
+ PRFileDesc *sslfd = NULL;
+- LBER_SOCKET intfd = -1;
+- char *hostlist;
+- struct lextiof_socket_private *socketargp;
++ LBER_SOCKET intfd = -1;
++ char *hostlist;
++ struct lextiof_socket_private *socketargp;
++#if defined(NSS_TLS11)
++ SECStatus sslStatus = SECSuccess;
++ char *s = getenv("LDAPSSL_ALLOW_OLD_SSL_VERSION");
++ /* Get the range of the supported SSL version */
++ SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
++ if (s) {
++ ldapNSSVersions.min = enabledNSSVersions.min;
++ } else {
++ ldapNSSVersions.min = SSL_LIBRARY_VERSION_TLS_1_1;
++ }
++ ldapNSSVersions.max = enabledNSSVersions.max;
++#endif
+
+- /*
++ /*
+ * Get hostlist from LDAP Handle
+ */
+ if ( ldap_get_option(ld, LDAP_OPT_HOST_NAME, &hostlist) < 0 ) {
+ return( -1 );
+@@ -1411,10 +1478,18 @@
+ if (( sslfd = SSL_ImportFD( NULL, soi.soinfo_prfd )) == NULL ) {
+ goto reset_socket_and_exit_with_error;
+ }
+
++#if defined(NSS_TLS11)
++ sslStatus = SSL_VersionRangeSet(sslfd, &ldapNSSVersions);
++ if (sslStatus != SECSuccess) {
++ goto reset_socket_and_exit_with_error;
++ }
++#endif
+ if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
+- SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) ||
++#if defined(NSS_TLS10)
++ SSL_OptionSet( sslfd, SSL_ENABLE_TLS, secure ) ||
++#endif
+ SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure )
+ != SECSuccess || ( secure && SSL_ResetHandshake( sslfd,
+ PR_FALSE ) != SECSuccess )) {
+ goto reset_socket_and_exit_with_error;
More information about the scm-commits
mailing list