[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7979) mozNSS does not process TLS_PROTOCOL_MIN

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7979) mozNSS does not process TLS_PROTOCOL_MIN
From: hyc@symas.com
Date: Wed, 12 Nov 2014 21:56:54 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

mreynolds@redhat.com wrote:
> Full_Name: Mark Reynolds
> Version: 2.4.40
> OS: Fedora 20
> URL: ftp://ftp.openldap.org/incoming/mark-reynolds-141112.patch
> Submission from: (NULL) (174.60.44.17)
>
>
> Currently there is no check for TLS_PROTOCOL_MIN in the mozNSS code.  mozNSS
> defaults to SSLv3/TLS1.0 which is no longer considered secure.  If a client only
> supports TLSv1.1 and up, the openldap ldapsearch will fail to connect over SSL.
>
> ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base objectclass=*
>
> or
>
> LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -H "ldaps://localhost.localdomain:636" -b ""
> -s base objectclass=*
>
> The fix is to grab the supported version range from NSS, adjust the minimum
> range if TLS_PROTOCOL_MIN is set, and then set the NSS default range with the
> min and max versions.

Thanks for the patch. I'm concerned because I see you adding MozNSS 
constants (SSL_LIBRARY_VERSION_TLS_1_2) in code that expects libldap 
values (LDAP_OPT_X_TLS_PROTOCOL_TLS1_2). I haven't checked; they may 
well be identical values. But please make sure, and add a comment to 
that effect, so that it's clear that setting lt_protocol_min is actually 
doing what's expected.
>
> Also updated the NSS version string map table to support up to TLSv1.3

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#7977) Supported PBKDF2-SHA256 and PBKDF2-SHA512
Next by Date: Re: (ITS#7979) mozNSS does not process TLS_PROTOCOL_MIN
Index(es):
- Chronological
- Thread