[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8904) Cannot enable SSL3 when disabled by default in OpenSSL

To: openldap-its@OpenLDAP.org
Subject: (ITS#8904) Cannot enable SSL3 when disabled by default in OpenSSL
From: mhonek@redhat.com
Date: Tue, 21 Aug 2018 15:23:00 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Matus Honek
Version: 2.4.46
OS: Fedora 28
URL: ftp://ftp.openldap.org/incoming/Matus-Honek-180821.patch
Submission from: (NULL) (213.175.37.10)


When in OpenSSL one disables SSL3 by default (the SSL_OP_NO_SSLv3 is set by
default, like in recent Fedora distributions) then with the current code in
OpenLDAP it is not possible to have it re-enabled using TLS_PROTOCOL_MIN
configuration option.

The attached patch explicitly clears the SSL_OP_NO_SSLv3 option when
TLS_PROTOCOL_MIN is set so that SSL3 should be enabled. Feel free to use it; I
believe IPR should not be necessary for a one liner.

However, in the future when more protocols will be disabled by default (possibly
soon for TLS1.0 and TLS1.1), similar fixes will be needed for those as well. Or,
it may be decided to not support the protocols that are disabled by default but
in that case probably a log message should be issued once user tries to enable a
by default disabled protocol.

Prev by Date: RE: (ITS#8848) New LDAP URL syntax to support binding to specific IP address at client side
Next by Date: (ITS#8905) Client side debug log should include timestamps
Index(es):
- Chronological
- Thread