ldap/schema/01core389.ldif | 3
ldap/servers/slapd/ssl.c | 73 +++++++++++++
lib/ldaputil/cert.c | 8 +
4 files changed, 228 insertions(+), 2 deletions(-)
New commits:
commit 50910ac7101e2ede6bf8211383dea8d5f00539bd
Author: William Brown <firstyear@redhat.com>
Date: Thu Apr 21 13:36:28 2016 +1000
Ticket 48798 - Enable DS to offer weaker DH params in NSS
Bug Description: Java is unable to handle DH param's greater than 1024 bit.
As of NSS 2.20 and higher, nss defaults to params of 2048 bit. This breaks
all java clients.
Fix Description: This adds a new option, allowWeakDHParams that allows
nss to generate and use insecure DH params that Java would be capable of
using.
This test case shows the ability to allow weak params, and
that they are indeed 1024 bits
https://fedorahosted.org/389/ticket/48798
Author: wibrown
Review by: nhosoi
diff --git a/dirsrvtests/tests/tickets/ticket48798_test.py b/dirsrvtests/tests/tickets/ticket48798_test.py
new file mode 100644
index 0000000..6872552
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket48798_test.py
@@ -0,0 +1,146 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+
+import nss
+
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+# Only works in py2.7
+# from subprocess import check_output
+from subprocess import Popen
+
+logging.getLogger(__name__).setLevel(logging.DEBUG)
+log = logging.getLogger(__name__)
+
+
+class TopologyStandalone(object):
+ def __init__(self, standalone):
+ standalone.open()
+ self.standalone = standalone
+
+
+@pytest.fixture(scope="module")
+def topology(request):
+ # Creating standalone instance ...
+ standalone = DirSrv(verbose=False)
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ standalone.delete()
+ standalone.create()
+ standalone.open()
+
+ # Delete each instance in the end
+ def fin():
+ pass
+ #standalone.delete()
+ request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ #standalone.clearTmpDir(__file__)
+
+ return TopologyStandalone(standalone)
+
+def check_socket_dh_param_size(hostname, port):
+ ### You know why we have to do this?
+ # Because TLS and SSL suck. Hard. They are impossible. It's all terrible, burn it all down.
+ cmd = "echo quit | openssl s_client -connect {HOSTNAME}:{PORT} -msg -cipher DH | grep -A 1 ServerKeyExchange".format(
+ HOSTNAME=hostname,
+ PORT=port)
+ #output = check_output(cmd, shell=True)
+ p = Popen(cmd, shell=True, stdout=PIPE)
+ (output, _) = p.communicate()
+
+ dhheader = output.split('\n')[1]
+ # Get rid of all the other whitespace.
+ dhheader = dhheader.replace(' ', '')
+ # Example is 0c00040b0100ffffffffffffffffadf8
+ # We need the bits 0100 here. Which means 256 bytes aka 256 * 8, for 2048 bit.
+ dhheader = dhheader[8:12]
+ # make it an int, and times 8
+ i = int(dhheader, 16) * 8
+ return i
+
+
+def test_ticket48798(topology):
+ """
+ Test DH param sizes offered by DS.
+
+ """
+
+ # Create a CA
+ # This is a trick. The nss db that ships with DS is broken fundamentally.
+ ## THIS ASSUMES old nss format. SQLite will bite us!
+ for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'):
+ try:
+ os.remove("%s/%s" % (topology.standalone.confdir, f ))
+ except:
+ pass
+
+ # Check if the db exists. Should be false.
+ assert(topology.standalone.nss_ssl._db_exists() is False)
+ # Create it. Should work.
+ assert(topology.standalone.nss_ssl.reinit() is True)
+ # Check if the db exists. Should be true
+ assert(topology.standalone.nss_ssl._db_exists() is True)
+
+ # Check if ca exists. Should be false.
+ assert(topology.standalone.nss_ssl._rsa_ca_exists() is False)
+ # Create it. Should work.
+ assert(topology.standalone.nss_ssl.create_rsa_ca() is True)
+ # Check if ca exists. Should be true
+ assert(topology.standalone.nss_ssl._rsa_ca_exists() is True)
+
+ # Check if we have a server cert / key. Should be false.
+ assert(topology.standalone.nss_ssl._rsa_key_and_cert_exists() is False)
+ # Create it. Should work.
+ assert(topology.standalone.nss_ssl.create_rsa_key_and_cert() is True)
+ # Check if server cert and key exist. Should be true.
+ assert(topology.standalone.nss_ssl._rsa_key_and_cert_exists() is True)
+
+ topology.standalone.config.enable_ssl(secport=DEFAULT_SECURE_PORT, secargs={'nsSSL3Ciphers': '+all'} )
+
+ topology.standalone.restart(30)
+
+ # Confirm that we have a connection, and that it has DH
+
+ # Open a socket to the port.
+ # Check the security settings.
+ size = check_socket_dh_param_size(topology.standalone.host, DEFAULT_SECURE_PORT)
+
+ assert(size == 2048)
+
+ # Now toggle the settings.
+ mod = [(ldap.MOD_REPLACE, 'allowWeakDHParam', 'on')]
+ dn_enc = 'cn=encryption,cn=config'
+ topology.standalone.modify_s(dn_enc, mod)
+
+ topology.standalone.restart(30)
+
+ # Check the DH params are less than 1024.
+ size = check_socket_dh_param_size(topology.standalone.host, DEFAULT_SECURE_PORT)
+
+ assert(size == 1024)
+
+ log.info('Test complete')
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index ba5b0aa..8f366a8 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -155,6 +155,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2155 NAME 'nsds5ReplicaBackoffMax' DESC
attributeTypes: ( 2.16.840.1.113730.3.1.2156 NAME 'nsslapd-sasl-max-buffer-size' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2310 NAME 'nsds5ReplicaFlowControlWindow' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2311 NAME 'nsds5ReplicaFlowControlPause' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2332 NAME 'allowWeakDHParam' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
#
# objectclasses
#
@@ -170,5 +171,5 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC
objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers) X-ORIGIN 'Netscape' )
+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' )
objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' )
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 529dbc6..fcf7ba9 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -89,6 +89,10 @@
#define NSS_TLS10 1
No comments:
Post a Comment