[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7979) mozNSS does not process TLS_PROTOCOL_MIN

To: openldap-its@OpenLDAP.org
Subject: (ITS#7979) mozNSS does not process TLS_PROTOCOL_MIN
From: mreynolds@redhat.com
Date: Wed, 12 Nov 2014 19:05:57 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Mark Reynolds
Version: 2.4.40
OS: Fedora 20
URL: ftp://ftp.openldap.org/incoming/mark-reynolds-141112.patch
Submission from: (NULL) (174.60.44.17)


Currently there is no check for TLS_PROTOCOL_MIN in the mozNSS code.  mozNSS
defaults to SSLv3/TLS1.0 which is no longer considered secure.  If a client only
supports TLSv1.1 and up, the openldap ldapsearch will fail to connect over SSL.

ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base objectclass=*

or 

LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -H "ldaps://localhost.localdomain:636" -b ""
-s base objectclass=*

The fix is to grab the supported version range from NSS, adjust the minimum
range if TLS_PROTOCOL_MIN is set, and then set the NSS default range with the
min and max versions.

Also updated the NSS version string map table to support up to TLSv1.3

Prev by Date: Re: (ITS#7832) Proposing ppolicy extended module for OpenLDAP
Next by Date: Re: (ITS#7977) Supported PBKDF2-SHA256 and PBKDF2-SHA512
Index(es):
- Chronological
- Thread