7979 – mozNSS does not process TLS_PROTOCOL_MIN

Issue 7979 - mozNSS does not process TLS_PROTOCOL_MIN

Summary: mozNSS does not process TLS_PROTOCOL_MIN

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	2.4.40
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-11-12 19:05 UTC by mreynolds@redhat.com
Modified:	2014-12-11 01:01 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description mreynolds@redhat.com 2014-11-12 19:05:57 UTC

Full_Name: Mark Reynolds
Version: 2.4.40
OS: Fedora 20
URL: ftp://ftp.openldap.org/incoming/mark-reynolds-141112.patch
Submission from: (NULL) (174.60.44.17)


Currently there is no check for TLS_PROTOCOL_MIN in the mozNSS code.  mozNSS
defaults to SSLv3/TLS1.0 which is no longer considered secure.  If a client only
supports TLSv1.1 and up, the openldap ldapsearch will fail to connect over SSL.

ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base objectclass=*

or 

LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -H "ldaps://localhost.localdomain:636" -b ""
-s base objectclass=*

The fix is to grab the supported version range from NSS, adjust the minimum
range if TLS_PROTOCOL_MIN is set, and then set the NSS default range with the
min and max versions.

Also updated the NSS version string map table to support up to TLSv1.3

Comment 1 Howard Chu 2014-11-12 21:56:47 UTC

mreynolds@redhat.com wrote:
> Full_Name: Mark Reynolds
> Version: 2.4.40
> OS: Fedora 20
> URL: ftp://ftp.openldap.org/incoming/mark-reynolds-141112.patch
> Submission from: (NULL) (174.60.44.17)
>
>
> Currently there is no check for TLS_PROTOCOL_MIN in the mozNSS code.  mozNSS
> defaults to SSLv3/TLS1.0 which is no longer considered secure.  If a client only
> supports TLSv1.1 and up, the openldap ldapsearch will fail to connect over SSL.
>
> ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base objectclass=*
>
> or
>
> LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -H "ldaps://localhost.localdomain:636" -b ""
> -s base objectclass=*
>
> The fix is to grab the supported version range from NSS, adjust the minimum
> range if TLS_PROTOCOL_MIN is set, and then set the NSS default range with the
> min and max versions.

Thanks for the patch. I'm concerned because I see you adding MozNSS 
constants (SSL_LIBRARY_VERSION_TLS_1_2) in code that expects libldap 
values (LDAP_OPT_X_TLS_PROTOCOL_TLS1_2). I haven't checked; they may 
well be identical values. But please make sure, and add a comment to 
that effect, so that it's clear that setting lt_protocol_min is actually 
doing what's expected.
>
> Also updated the NSS version string map table to support up to TLSv1.3

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 2 Mark Reynolds 2014-11-13 15:01:05 UTC

On 11/12/2014 04:56 PM, Howard Chu wrote:
> mreynolds@redhat.com wrote:
>> Full_Name: Mark Reynolds
>> Version: 2.4.40
>> OS: Fedora 20
>> URL: ftp://ftp.openldap.org/incoming/mark-reynolds-141112.patch
>> Submission from: (NULL) (174.60.44.17)
>>
>>
>> Currently there is no check for TLS_PROTOCOL_MIN in the mozNSS code. 
>> mozNSS
>> defaults to SSLv3/TLS1.0 which is no longer considered secure.  If a
>> client only
>> supports TLSv1.1 and up, the openldap ldapsearch will fail to connect
>> over SSL.
>>
>> ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base
>> objectclass=*
>>
>> or
>>
>> LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -H
>> "ldaps://localhost.localdomain:636" -b ""
>> -s base objectclass=*
>>
>> The fix is to grab the supported version range from NSS, adjust the
>> minimum
>> range if TLS_PROTOCOL_MIN is set, and then set the NSS default range
>> with the
>> min and max versions.
>
> Thanks for the patch. I'm concerned because I see you adding MozNSS
> constants (SSL_LIBRARY_VERSION_TLS_1_2) in code that expects libldap
> values (LDAP_OPT_X_TLS_PROTOCOL_TLS1_2). I haven't checked; they may
> well be identical values. But please make sure, and add a comment to
> that effect, so that it's clear that setting lt_protocol_min is
> actually doing what's expected.
Thanks for the feedback Howard.  Yes, the SSL versions are the same in
NSS & openldap.  I have uploaded a new patch with the requested
comments:  mark-reynolds-141113.patch

On a side note, we are pushing the NSS team to update the NSS API to
provide the SSL version to version string mapping.  So we will be able
to  remove the hardcoded map(pvers) in openldap once this get addressed.

Regards,
Mark
>>
>> Also updated the NSS version string map table to support up to TLSv1.3
>

Comment 3 Howard Chu 2014-11-13 15:14:44 UTC

Mark Reynolds wrote:
>
> On 11/12/2014 04:56 PM, Howard Chu wrote:
>> mreynolds@redhat.com wrote:
>>> Full_Name: Mark Reynolds
>>> Version: 2.4.40
>>> OS: Fedora 20
>>> URL: ftp://ftp.openldap.org/incoming/mark-reynolds-141112.patch
>>> Submission from: (NULL) (174.60.44.17)
>>>
>>>
>>> Currently there is no check for TLS_PROTOCOL_MIN in the mozNSS code.
>>> mozNSS
>>> defaults to SSLv3/TLS1.0 which is no longer considered secure.  If a
>>> client only
>>> supports TLSv1.1 and up, the openldap ldapsearch will fail to connect
>>> over SSL.
>>>
>>> ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base
>>> objectclass=*
>>>
>>> or
>>>
>>> LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -H
>>> "ldaps://localhost.localdomain:636" -b ""
>>> -s base objectclass=*
>>>
>>> The fix is to grab the supported version range from NSS, adjust the
>>> minimum
>>> range if TLS_PROTOCOL_MIN is set, and then set the NSS default range
>>> with the
>>> min and max versions.
>>
>> Thanks for the patch. I'm concerned because I see you adding MozNSS
>> constants (SSL_LIBRARY_VERSION_TLS_1_2) in code that expects libldap
>> values (LDAP_OPT_X_TLS_PROTOCOL_TLS1_2). I haven't checked; they may
>> well be identical values. But please make sure, and add a comment to
>> that effect, so that it's clear that setting lt_protocol_min is
>> actually doing what's expected.
> Thanks for the feedback Howard.  Yes, the SSL versions are the same in
> NSS & openldap.  I have uploaded a new patch with the requested
> comments:  mark-reynolds-141113.patch

Thanks, committed to master.

> On a side note, we are pushing the NSS team to update the NSS API to
> provide the SSL version to version string mapping.  So we will be able
> to  remove the hardcoded map(pvers) in openldap once this get addressed.

Great. Nice to see they're finally addressing their usability issues.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 4 Howard Chu 2014-11-13 15:30:11 UTC

changed notes
changed state Open to Test
moved from Incoming to Software Bugs

Comment 5 Quanah Gibson-Mount 2014-12-11 00:53:27 UTC

changed notes

Comment 6 OpenLDAP project 2014-12-11 01:01:14 UTC

committed to master
fixed in RE25

Comment 7 Quanah Gibson-Mount 2014-12-11 01:01:14 UTC

changed notes
changed state Test to Closed