OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/7285
Full headers

From: tim.strobell.ctr@nrl.navy.mil
Subject: Mozilla NSS: default cipher suite always selected
Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification:


Date: Mon, 04 Jun 2012 21:56:08 +0000
From: tim.strobell.ctr@nrl.navy.mil
To: openldap-its@OpenLDAP.org
Subject: Mozilla NSS: default cipher suite always selected
Full_Name: Tim Strobell
Version: HEAD
OS: RHEL6
URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch
Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000)


When using NSS, the default cipher suite selection is used even when
TLSCipherSuite is explicitly specified. This behavior was introduced in the
patch provided in ITS#6790.

At tls_m.c:2221...

        if ( lt->lt_ciphersuite &&
             tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
                   [ error, return ]
        } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
                   [ error, return ]
        }

tlsm_parse_ciphers returns 0 on success; the else path is always followed and
overrides the previous cipher suite selection.

Followup 1

Download message
From: Jan =?utf-8?B?VsSNZWzDoWs=?= <jvcelak@redhat.com>
To: tim.strobell.ctr@nrl.navy.mil
Cc: openldap-its@openldap.org
Subject: Re: (ITS#7285) Mozilla NSS: default cipher suite always selected
Date: Tue, 05 Jun 2012 11:19:44 +0200
The patch is fine.  I was just about to send exactly the same. We have a 
report in our bugzilla for this.

On Monday 04 of June 2012 21:56:08, tim.strobell.ctr@nrl.navy.mil wrote:
> Full_Name: Tim Strobell
> Version: HEAD
> OS: RHEL6
> URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch
> Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000)
> 
> 
> When using NSS, the default cipher suite selection is used even when
> TLSCipherSuite is explicitly specified. This behavior was introduced in the
> patch provided in ITS#6790.
> 
> At tls_m.c:2221...
> 
>         if ( lt->lt_ciphersuite &&
>              tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
>                    [ error, return ]
>         } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
>                    [ error, return ]
>         }
> 
> tlsm_parse_ciphers returns 0 on success; the else path is always followed
> and overrides the previous cipher suite selection.



Followup 2

Download message
Date: Tue, 05 Jun 2012 03:44:27 -0700
From: Howard Chu <hyc@symas.com>
To: jvcelak@redhat.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#7285) Mozilla NSS: default cipher suite always selected
jvcelak@redhat.com wrote:
> The patch is fine.  I was just about to send exactly the same. We have a
> report in our bugzilla for this.

Thanks for the confirmation, fixed now in master.
>
> On Monday 04 of June 2012 21:56:08, tim.strobell.ctr@nrl.navy.mil wrote:
>> Full_Name: Tim Strobell
>> Version: HEAD
>> OS: RHEL6
>> URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch
>> Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000)
>>
>>
>> When using NSS, the default cipher suite selection is used even when
>> TLSCipherSuite is explicitly specified. This behavior was introduced in
the
>> patch provided in ITS#6790.
>>
>> At tls_m.c:2221...
>>
>>          if ( lt->lt_ciphersuite &&
>>               tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
>>                     [ error, return ]
>>          } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
>>                     [ error, return ]
>>          }
>>
>> tlsm_parse_ciphers returns 0 on success; the else path is always
followed
>> and overrides the previous cipher suite selection.
>
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org