Full_Name: Tim Strobell Version: HEAD OS: RHEL6 URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000) When using NSS, the default cipher suite selection is used even when TLSCipherSuite is explicitly specified. This behavior was introduced in the patch provided in ITS#6790. At tls_m.c:2221... if ( lt->lt_ciphersuite && tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) { [ error, return ] } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) { [ error, return ] } tlsm_parse_ciphers returns 0 on success; the else path is always followed and overrides the previous cipher suite selection.
The patch is fine. I was just about to send exactly the same. We have a report in our bugzilla for this. On Monday 04 of June 2012 21:56:08, tim.strobell.ctr@nrl.navy.mil wrote: > Full_Name: Tim Strobell > Version: HEAD > OS: RHEL6 > URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch > Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000) > > > When using NSS, the default cipher suite selection is used even when > TLSCipherSuite is explicitly specified. This behavior was introduced in the > patch provided in ITS#6790. > > At tls_m.c:2221... > > if ( lt->lt_ciphersuite && > tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) { > [ error, return ] > } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) { > [ error, return ] > } > > tlsm_parse_ciphers returns 0 on success; the else path is always followed > and overrides the previous cipher suite selection.
jvcelak@redhat.com wrote: > The patch is fine. I was just about to send exactly the same. We have a > report in our bugzilla for this. Thanks for the confirmation, fixed now in master. > > On Monday 04 of June 2012 21:56:08, tim.strobell.ctr@nrl.navy.mil wrote: >> Full_Name: Tim Strobell >> Version: HEAD >> OS: RHEL6 >> URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch >> Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000) >> >> >> When using NSS, the default cipher suite selection is used even when >> TLSCipherSuite is explicitly specified. This behavior was introduced in the >> patch provided in ITS#6790. >> >> At tls_m.c:2221... >> >> if ( lt->lt_ciphersuite && >> tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) { >> [ error, return ] >> } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) { >> [ error, return ] >> } >> >> tlsm_parse_ciphers returns 0 on success; the else path is always followed >> and overrides the previous cipher suite selection. > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Software Bugs
changed notes changed state Test to Release
changed notes changed state Release to Closed
fixed in master fixed in RE24