Mark Reynolds wrote:
On 11/12/2014 04:56 PM, Howard Chu wrote:
mreynolds@redhat.com wrote:
Full_Name: Mark Reynolds Version: 2.4.40 OS: Fedora 20 URL: ftp://ftp.openldap.org/incoming/mark-reynolds-141112.patch Submission from: (NULL) (174.60.44.17)
Currently there is no check for TLS_PROTOCOL_MIN in the mozNSS code. mozNSS defaults to SSLv3/TLS1.0 which is no longer considered secure. If a client only supports TLSv1.1 and up, the openldap ldapsearch will fail to connect over SSL.
ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base objectclass=*
or
LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base objectclass=*
The fix is to grab the supported version range from NSS, adjust the minimum range if TLS_PROTOCOL_MIN is set, and then set the NSS default range with the min and max versions.
Thanks for the patch. I'm concerned because I see you adding MozNSS constants (SSL_LIBRARY_VERSION_TLS_1_2) in code that expects libldap values (LDAP_OPT_X_TLS_PROTOCOL_TLS1_2). I haven't checked; they may well be identical values. But please make sure, and add a comment to that effect, so that it's clear that setting lt_protocol_min is actually doing what's expected.
Thanks for the feedback Howard. Yes, the SSL versions are the same in NSS & openldap. I have uploaded a new patch with the requested comments: mark-reynolds-141113.patch
Thanks, committed to master.
On a side note, we are pushing the NSS team to update the NSS API to provide the SSL version to version string mapping. So we will be able to remove the hardcoded map(pvers) in openldap once this get addressed.
Great. Nice to see they're finally addressing their usability issues.
-
hyc@symas.com