diff --git a/openldap-nss-protocol-version-new-api.patch b/openldap-nss-protocol-version-new-api.patch new file mode 100644 index 0000000..65cedf3 --- /dev/null +++ b/openldap-nss-protocol-version-new-api.patch @@ -0,0 +1,88 @@ +Implement new API for setting TLS protocol version. + +The code being deleted has been misplaced and it's effect has been +mangled by a code later on. This patch puts the code at the correct +place and introduces some more logging and error checking. + +Author: Matus Honek +RHBZ: #1375432 + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -2019,16 +2019,6 @@ tlsm_deferred_init( void *arg ) + } + } + +- /* +- * Set the SSL version range. MozNSS SSL versions are the same as openldap's: +- * +- * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* +- */ +- SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */ +- range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min; +- variant = ssl_variant_stream; +- SSL_VersionRangeSetDefault(variant, &range); +- + NSS_SetDomesticPolicy(); + + PK11_SetPasswordFunc( tlsm_pin_prompt ); +@@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg ) + 0, 0, 0 ); + return -1; + } ++ if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) { ++ SSLVersionRange supported_range, default_range, selected_range; ++ if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n", ++ 0, 0, 0 ); ++ return -1; ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n", ++ supported_range.min, supported_range.max, 0); ++ } ++ if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n", ++ 0, 0, 0 ); ++ return -1; ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n", ++ default_range.min, default_range.max, 0); ++ } ++ selected_range.min = lt->lt_protocol_min; ++ selected_range.max = supported_range.max; ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: info: TLS configured protocol minimal version is %#04x.\n", ++ selected_range.min, selected_range.max, 0); ++ if ( (selected_range.min > supported_range.max) || ++ (selected_range.max < supported_range.min) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: selected protocol version range out of NSS-supported version range.\n", ++ 0, 0, 0); ++ return -1; ++ } else { ++ if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n", ++ 0, 0, 0); ++ return -1; ++ } ++ if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n", ++ 0, 0, 0); ++ return -1; ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n", ++ selected_range.min, selected_range.max, 0); ++ } ++ } ++ } + + if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) { + Debug( LDAP_DEBUG_ANY, diff --git a/openldap.spec b/openldap.spec index e1418c4..737b1c9 100644 --- a/openldap.spec +++ b/openldap.spec @@ -5,7 +5,7 @@ Name: openldap Version: 2.4.44 -Release: 2%{?dist} +Release: 3%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -541,6 +541,10 @@ exit 0 %{_mandir}/man3/* %changelog +* Fri Jan 20 2017 Matus Honek - 2.4.44-3 +- fix: Setting olcTLSProtocolMin does not change supported protocols (#1375432) +- fix: slapd should start after network-online.service (#1336487) + * Sun May 15 2016 Jitka Plesnikova - 2.4.44-2 - Perl 5.24 rebuild