[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7979) mozNSS does not process TLS_PROTOCOL_MIN

Mark Reynolds wrote:
> On 11/12/2014 04:56 PM, Howard Chu wrote:
>> mreynolds@redhat.com wrote:
>>> Full_Name: Mark Reynolds
>>> Version: 2.4.40
>>> OS: Fedora 20
>>> URL: ftp://ftp.openldap.org/incoming/mark-reynolds-141112.patch
>>> Submission from: (NULL) (
>>> Currently there is no check for TLS_PROTOCOL_MIN in the mozNSS code.
>>> mozNSS
>>> defaults to SSLv3/TLS1.0 which is no longer considered secure.  If a
>>> client only
>>> supports TLSv1.1 and up, the openldap ldapsearch will fail to connect
>>> over SSL.
>>> ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base
>>> objectclass=*
>>> or
>>> LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -H
>>> "ldaps://localhost.localdomain:636" -b ""
>>> -s base objectclass=*
>>> The fix is to grab the supported version range from NSS, adjust the
>>> minimum
>>> range if TLS_PROTOCOL_MIN is set, and then set the NSS default range
>>> with the
>>> min and max versions.
>> Thanks for the patch. I'm concerned because I see you adding MozNSS
>> constants (SSL_LIBRARY_VERSION_TLS_1_2) in code that expects libldap
>> values (LDAP_OPT_X_TLS_PROTOCOL_TLS1_2). I haven't checked; they may
>> well be identical values. But please make sure, and add a comment to
>> that effect, so that it's clear that setting lt_protocol_min is
>> actually doing what's expected.
> Thanks for the feedback Howard.  Yes, the SSL versions are the same in
> NSS & openldap.  I have uploaded a new patch with the requested
> comments:  mark-reynolds-141113.patch

Thanks, committed to master.

> On a side note, we are pushing the NSS team to update the NSS API to
> provide the SSL version to version string mapping.  So we will be able
> to  remove the hardcoded map(pvers) in openldap once this get addressed.

Great. Nice to see they're finally addressing their usability issues.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/