[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7285) Mozilla NSS: default cipher suite always selected

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7285) Mozilla NSS: default cipher suite always selected
From: hyc@symas.com
Date: Tue, 5 Jun 2012 10:45:18 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

jvcelak@redhat.com wrote:
> The patch is fine.  I was just about to send exactly the same. We have a
> report in our bugzilla for this.

Thanks for the confirmation, fixed now in master.
>
> On Monday 04 of June 2012 21:56:08, tim.strobell.ctr@nrl.navy.mil wrote:
>> Full_Name: Tim Strobell
>> Version: HEAD
>> OS: RHEL6
>> URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch
>> Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000)
>>
>>
>> When using NSS, the default cipher suite selection is used even when
>> TLSCipherSuite is explicitly specified. This behavior was introduced in the
>> patch provided in ITS#6790.
>>
>> At tls_m.c:2221...
>>
>>          if ( lt->lt_ciphersuite &&
>>               tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
>>                     [ error, return ]
>>          } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
>>                     [ error, return ]
>>          }
>>
>> tlsm_parse_ciphers returns 0 on success; the else path is always followed
>> and overrides the previous cipher suite selection.
>
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#7287) [PATCH] MozNSS: do not overwrite error in tlsm_verify_cert
Next by Date: Re: (ITS#7287) [PATCH] MozNSS: do not overwrite error in tlsm_verify_cert
Index(es):
- Chronological
- Thread