[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7979) mozNSS does not process TLS_PROTOCOL_MIN

Full_Name: Mark Reynolds
Version: 2.4.40
OS: Fedora 20
URL: ftp://ftp.openldap.org/incoming/mark-reynolds-141112.patch
Submission from: (NULL) (

Currently there is no check for TLS_PROTOCOL_MIN in the mozNSS code.  mozNSS
defaults to SSLv3/TLS1.0 which is no longer considered secure.  If a client only
supports TLSv1.1 and up, the openldap ldapsearch will fail to connect over SSL.

ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base objectclass=*


LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -H "ldaps://localhost.localdomain:636" -b ""
-s base objectclass=*

The fix is to grab the supported version range from NSS, adjust the minimum
range if TLS_PROTOCOL_MIN is set, and then set the NSS default range with the
min and max versions.

Also updated the NSS version string map table to support up to TLSv1.3