(ITS#7289) Mozilla NSS: cipher suite selection by name may be ignored
by tim.strobell.ctr@nrl.navy.mil
Full_Name: Tim Strobell
Version: HEAD
OS: RHEL6
URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060501.patch
Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000)
Under certain circumstances, cipher suite selection by name ("OpenSSL name") may
inadvertently cause any additional named cipher selections to be ignored.
In tls_m.c:625...
for (i=0; i<ciphernum; i++) {
if (!strcmp(ciphers_def[i].ossl_name, cipher) &&
cipher_list[1] != -1)
cipher_list[i] = action;
}
The index into cipher_list on line 627 is 1 (one) but should be i (eye).
Any cipher selection that disables RC2-CBC-MD5 (cipher_list[1]) will not
add/subtract/disable (action = 1, 0, -1 resp.) any further named ciphers in the
list.
10 years, 9 months
(ITS#7288) Doc update for MemberOf Overlay: add cn=config info
by openldap@stompro.org
Full_Name: Josh Stompro
Version: HEAD
OS: Debian
URL: ftp://ftp.openldap.org/incoming/josh-stompro-120605.patch
Submission from: (NULL) (216.239.28.98)
I uploaded a patch to openldap incoming ftp server name
josh-stompro-120605.patch. This patch updates the man page for the MemberOf
Overlay to include cn=config style instructions, and update the config option
names so they comply with the cn=config style.
I had to resort to google to figure out how to add this overlay since I'm not
all that familiar with the cn=config format yet, and the documentation doesn't
make it easy to figure out. I found an article on serverfault[1] that had the
examples I needed to get it to work. This is my attempt to make it easier for
the next individual.
I, Josh Stompro, hereby place the following modifications to OpenLDAP Software
(and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.
1 - http://serverfault.com/questions/73213/how-do-i-configure-reverse-group-m...
10 years, 9 months
Re: (ITS#7286) Malformed search filter to back-ldap/slapo-rwm crashes slapd
by masarati@aero.polimi.it
On 06/05/2012 12:48 PM, hyc(a)symas.com wrote:
> gahaverkamp(a)lbl.gov wrote:
>> --e89a8fb1fbfae973ef04c1b0bad6
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> I thought I had, but I now see that I left off "full".
>>
>> (gdb) bt full
>
> We slso need to see the slapd config.
Without carefully looking at it, it could be related to reinstalling the
original context because of the error. See ITS#6166.
p.
--
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano
10 years, 9 months
Re: (ITS#7287) [PATCH] MozNSS: do not overwrite error in tlsm_verify_cert
by hyc@symas.com
jvcelak(a)redhat.com wrote:
> Full_Name: Jan Vcelak
> Version: git master
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/jvcelak-20120605-moznss-overwrite-error-i...
> Submission from: (NULL) (209.132.186.34)
>
>
> If the peer certificate verification fails and the certificate does not contain
> Basic Constraint Extension, wrong TLS error message is reported by the library.
> In addition, TLS_REQCERT=never does not work in this situation. This is caused
> by overwriting the original error code in tlsm_verify_cert() function.
>
> Attached patch fixes this behavior.
Applied to master.
>
> Old version:
>
> $ ldapsearch -x -ZZ
> ldap_start_tls: Connect error (-11)
> additional info: TLS error -8157:Certificate extension not found.
>
> Fixed version:
>
> $ ldapsearch -x -ZZ
> ldap_start_tls: Connect error (-11)
> additional info: TLS error -8172:Peer's certificate issuer has been
> marked as not trusted by the user.
>
>
> The attached file is derived from OpenLDAP Software. All of the modifications to
> OpenLDAP Software represented in the following patch(es) were developed by Red
> Hat. Red Hat has not assigned rights and/or interest in this work to any party.
> I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under
> the following terms.
>
> Red Hat hereby place the following modifications to OpenLDAP Software (and only
> these modifications) into the public domain. Hence, these modifications may be
> freely used and/or redistributed for any purpose with or without attribution
> and/or other notice.
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
10 years, 9 months
Re: (ITS#7285) Mozilla NSS: default cipher suite always selected
by hyc@symas.com
jvcelak(a)redhat.com wrote:
> The patch is fine. I was just about to send exactly the same. We have a
> report in our bugzilla for this.
Thanks for the confirmation, fixed now in master.
>
> On Monday 04 of June 2012 21:56:08, tim.strobell.ctr(a)nrl.navy.mil wrote:
>> Full_Name: Tim Strobell
>> Version: HEAD
>> OS: RHEL6
>> URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch
>> Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000)
>>
>>
>> When using NSS, the default cipher suite selection is used even when
>> TLSCipherSuite is explicitly specified. This behavior was introduced in the
>> patch provided in ITS#6790.
>>
>> At tls_m.c:2221...
>>
>> if ( lt->lt_ciphersuite &&
>> tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
>> [ error, return ]
>> } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
>> [ error, return ]
>> }
>>
>> tlsm_parse_ciphers returns 0 on success; the else path is always followed
>> and overrides the previous cipher suite selection.
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
10 years, 9 months
(ITS#7287) [PATCH] MozNSS: do not overwrite error in tlsm_verify_cert
by jvcelak@redhat.com
Full_Name: Jan Vcelak
Version: git master
OS: Linux
URL: ftp://ftp.openldap.org/incoming/jvcelak-20120605-moznss-overwrite-error-i...
Submission from: (NULL) (209.132.186.34)
If the peer certificate verification fails and the certificate does not contain
Basic Constraint Extension, wrong TLS error message is reported by the library.
In addition, TLS_REQCERT=never does not work in this situation. This is caused
by overwriting the original error code in tlsm_verify_cert() function.
Attached patch fixes this behavior.
Old version:
$ ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
additional info: TLS error -8157:Certificate extension not found.
Fixed version:
$ ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
additional info: TLS error -8172:Peer's certificate issuer has been
marked as not trusted by the user.
The attached file is derived from OpenLDAP Software. All of the modifications to
OpenLDAP Software represented in the following patch(es) were developed by Red
Hat. Red Hat has not assigned rights and/or interest in this work to any party.
I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under
the following terms.
Red Hat hereby place the following modifications to OpenLDAP Software (and only
these modifications) into the public domain. Hence, these modifications may be
freely used and/or redistributed for any purpose with or without attribution
and/or other notice.
10 years, 9 months
Re: (ITS#7285) Mozilla NSS: default cipher suite always selected
by jvcelak@redhat.com
The patch is fine. I was just about to send exactly the same. We have a
report in our bugzilla for this.
On Monday 04 of June 2012 21:56:08, tim.strobell.ctr(a)nrl.navy.mil wrote:
> Full_Name: Tim Strobell
> Version: HEAD
> OS: RHEL6
> URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch
> Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000)
>
>
> When using NSS, the default cipher suite selection is used even when
> TLSCipherSuite is explicitly specified. This behavior was introduced in the
> patch provided in ITS#6790.
>
> At tls_m.c:2221...
>
> if ( lt->lt_ciphersuite &&
> tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
> [ error, return ]
> } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
> [ error, return ]
> }
>
> tlsm_parse_ciphers returns 0 on success; the else path is always followed
> and overrides the previous cipher suite selection.
10 years, 9 months