Logged in as guest
Viewing Software Bugs/7285 Full headers
Major security issue: yes no
Notes: fixed in master fixed in RE24 Notification:
Date: Mon, 04 Jun 2012 21:56:08 +0000 From: tim.strobell.ctr@nrl.navy.mil To: openldap-its@OpenLDAP.org Subject: Mozilla NSS: default cipher suite always selected
Full_Name: Tim Strobell Version: HEAD OS: RHEL6 URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000) When using NSS, the default cipher suite selection is used even when TLSCipherSuite is explicitly specified. This behavior was introduced in the patch provided in ITS#6790. At tls_m.c:2221... if ( lt->lt_ciphersuite && tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) { [ error, return ] } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) { [ error, return ] } tlsm_parse_ciphers returns 0 on success; the else path is always followed and overrides the previous cipher suite selection.
From: Jan =?utf-8?B?VsSNZWzDoWs=?= <jvcelak@redhat.com> To: tim.strobell.ctr@nrl.navy.mil Cc: openldap-its@openldap.org Subject: Re: (ITS#7285) Mozilla NSS: default cipher suite always selected Date: Tue, 05 Jun 2012 11:19:44 +0200
The patch is fine. I was just about to send exactly the same. We have a report in our bugzilla for this. On Monday 04 of June 2012 21:56:08, tim.strobell.ctr@nrl.navy.mil wrote: > Full_Name: Tim Strobell > Version: HEAD > OS: RHEL6 > URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch > Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000) > > > When using NSS, the default cipher suite selection is used even when > TLSCipherSuite is explicitly specified. This behavior was introduced in the > patch provided in ITS#6790. > > At tls_m.c:2221... > > if ( lt->lt_ciphersuite && > tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) { > [ error, return ] > } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) { > [ error, return ] > } > > tlsm_parse_ciphers returns 0 on success; the else path is always followed > and overrides the previous cipher suite selection.
Date: Tue, 05 Jun 2012 03:44:27 -0700 From: Howard Chu <hyc@symas.com> To: jvcelak@redhat.com CC: openldap-its@openldap.org Subject: Re: (ITS#7285) Mozilla NSS: default cipher suite always selected
jvcelak@redhat.com wrote: > The patch is fine. I was just about to send exactly the same. We have a > report in our bugzilla for this. Thanks for the confirmation, fixed now in master. > > On Monday 04 of June 2012 21:56:08, tim.strobell.ctr@nrl.navy.mil wrote: >> Full_Name: Tim Strobell >> Version: HEAD >> OS: RHEL6 >> URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch >> Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000) >> >> >> When using NSS, the default cipher suite selection is used even when >> TLSCipherSuite is explicitly specified. This behavior was introduced in the >> patch provided in ITS#6790. >> >> At tls_m.c:2221... >> >> if ( lt->lt_ciphersuite && >> tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) { >> [ error, return ] >> } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) { >> [ error, return ] >> } >> >> tlsm_parse_ciphers returns 0 on success; the else path is always followed >> and overrides the previous cipher suite selection. > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
