[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7289) Mozilla NSS: cipher suite selection by name may be ignored

To: openldap-its@OpenLDAP.org
Subject: (ITS#7289) Mozilla NSS: cipher suite selection by name may be ignored
From: tim.strobell.ctr@nrl.navy.mil
Date: Tue, 5 Jun 2012 20:28:48 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Tim Strobell
Version: HEAD
OS: RHEL6
URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060501.patch
Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000)


Under certain circumstances, cipher suite selection by name ("OpenSSL name") may
inadvertently cause any additional named cipher selections to be ignored.

In tls_m.c:625...

    for (i=0; i<ciphernum; i++) {
        if (!strcmp(ciphers_def[i].ossl_name, cipher) &&
             cipher_list[1] != -1)       
                 cipher_list[i] = action;
    }

The index into cipher_list on line 627 is 1 (one) but should be i (eye).
Any cipher selection that disables RC2-CBC-MD5 (cipher_list[1]) will not
add/subtract/disable (action = 1, 0, -1 resp.) any further named ciphers in the
list.

Prev by Date: (ITS#7288) Doc update for MemberOf Overlay: add cn=config info
Next by Date: Re: (ITS#7289) Mozilla NSS: cipher suite selection by name may be ignored
Index(es):
- Chronological
- Thread