[openldap: 4/4] enhancement: support TLSv1 and later (#1160466)
jsynacek
jsynacek at fedoraproject.org
Fri Nov 14 09:07:51 UTC 2014
commit 4b2abac9db548c3ce7f44df72517eec50d68eefc
Author: Jan Synacek <jsynacek at redhat.com>
Date: Fri Nov 14 09:46:06 2014 +0100
enhancement: support TLSv1 and later (#1160466)
openldap-support-tlsv1-and-later.patch | 54 ++++++++++++++++++++++++++++++++
openldap.spec | 8 ++++-
2 files changed, 61 insertions(+), 1 deletions(-)
---
diff --git a/openldap-support-tlsv1-and-later.patch b/openldap-support-tlsv1-and-later.patch
new file mode 100644
index 0000000..b8cc0f8
--- /dev/null
+++ b/openldap-support-tlsv1-and-later.patch
@@ -0,0 +1,54 @@
+Support TLSv1 and later.
+
+Author: Mark Reynolds <mreynolds at redhat.com>
+Backported-by: Jan Synacek <jsynacek at redhat.com>
+Upstream ITS: #7979
+Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
+
+--- openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:02:39.489493061 +0100
++++ openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:23:07.239463097 +0100
+@@ -790,7 +790,7 @@ tlsm_bad_cert_handler(void *arg, PRFileD
+ case SSL_ERROR_BAD_CERT_DOMAIN:
+ break;
+ default:
+- success = SECFailure;
++ success = SECFailure;
+ break;
+ }
+
+@@ -1729,6 +1729,8 @@ tlsm_deferred_init( void *arg )
+ NSSInitContext *initctx = NULL;
+ PK11SlotInfo *certdb_slot = NULL;
+ #endif
++ SSLVersionRange range;
++ SSLProtocolVariant variant;
+ SECStatus rc;
+ int done = 0;
+
+@@ -1911,6 +1913,16 @@ tlsm_deferred_init( void *arg )
+ }
+ }
+
++ /*
++ * Set the SSL version range. MozNSS SSL versions are the same as openldap's:
++ *
++ * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
++ */
++ SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
++ range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
++ variant = ssl_variant_stream;
++ SSL_VersionRangeSetDefault(variant, &range);
++
+ NSS_SetDomesticPolicy();
+
+ PK11_SetPasswordFunc( tlsm_pin_prompt );
+--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200
++++ openldap-2.4.40/include/ldap.h 2014-11-14 09:25:54.560801030 +0100
+@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
++#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
+
+ /* OpenLDAP SASL options */
+ #define LDAP_OPT_X_SASL_MECH 0x6100
diff --git a/openldap.spec b/openldap.spec
index 6d7462b..f2d51ce 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -5,7 +5,7 @@
Name: openldap
Version: 2.4.40
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
@@ -46,6 +46,8 @@ Patch16: openldap-nss-pk11-freeslot.patch
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
# ldapi sasl fix pending upstream inclusion
Patch20: openldap-ldapi-sasl.patch
+# TLSv1 support, already included upstream
+Patch21: openldap-support-tlsv1-and-later.patch
# Fedora specific patches
Patch100: openldap-autoconf-pkgconfig-nss.patch
@@ -161,6 +163,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch16 -p1
%patch19 -p1
%patch20 -p1
+%patch21 -p1
%patch102 -p1
@@ -573,6 +576,9 @@ exit 0
%{_mandir}/man3/*
%changelog
+* Fri Nov 14 2014 Jan Synáček <jsynacek at redhat.com> - 2.4.40-2
+- enhancement: support TLSv1 and later (#1160466)
+
* Mon Oct 6 2014 Jan Synáček <jsynacek at redhat.com> - 2.4.40-1
- new upstream release (#1147877)
More information about the scm-commits
mailing list