Friday, April 1, 2016

[389-commits] ldap/servers

ldap/servers/slapd/ssl.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

New commits:
commit 9b3c2736db71842cfd479530c1172d3df559815d
Author: Noriko Hosoi <nhosoi@redhat.com>
Date: Fri Apr 1 11:13:15 2016 -0700

Ticket #48775 - If nsSSL3 is on, even if SSL v3 is not really enabled, a confusing message is logged.

Description: The config entry cn=encryption,cn=config takes old and new
formats to specify SSL versions.
* old format:
nsSSL3: on|off
nsTLS1: on|off
* new format:
sslVersionMin: <min value, e.g., TLS1.0>
sslVersionMax: <max value, e.g., TLS1.3>
To enable SSLv3, both nsSSL3 needs to be on and sslVersionMin needs to
set to SSL3. But the current code logs the following warning if nsSSL3
is on, even if sslVersionMin is set to higher than SSL3:
Found unsecured configuration: nsSSL3: on; We strongly recommend to
disable nsSSL3 in cn=encryption,cn=config.

Instead, this patch changes the behaviour to log the warning only when
nsSSL3 is on and sslVersionMin is set to lower than or equal to SSL3:
Min value is too low in range: min: SSL3, max: TLS##;
We strongly recommend to set sslVersionMin higher than TLS1.0.

https://fedorahosted.org/389/ticket/48775

Reviewed by mreynolds@redhat.com (Thank you, Mark!!)

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 6a23f80..9c98f7d 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -893,8 +893,6 @@ restrict_SSLVersionRange(void)
slapdNSSVersions.max = enabledNSSVersions.max;
}
if (enableSSL3) {
- slapd_SSL_warn("Found unsecure configuration: nsSSL3: on; "
- "We strongly recommend to disable nsSSL3 in %s.", configDN);
if (enableTLS1) {
if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Configured range: min: %s, max: %s; "
@@ -902,6 +900,10 @@ restrict_SSLVersionRange(void)
"Respect the supported range.",
mymin, mymax);
enableSSL3 = PR_FALSE;
+ } else {
+ slapd_SSL_warn("Min value is too low in range: min: %s, max: %s; "
+ "We strongly recommend to set sslVersionMin higher than %s.",
+ mymin, mymax, DEFVERSION);
}
if (slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Configured range: min: %s, max: %s; "
@@ -928,7 +930,7 @@ restrict_SSLVersionRange(void)
enableSSL3 = PR_FALSE;
enableTLS1 = PR_TRUE;
} else if (slapdNSSVersions.min < CURRENT_DEFAULT_SSL_VERSION) {
- slapd_SSL_warn("Too low configured range: min: %s, max: %s; "
+ slapd_SSL_warn("Min value is too low in range: min: %s, max: %s; "
"We strongly recommend to set sslVersionMin higher than %s.",
mymin, mymax, DEFVERSION);
} else {

--
389 commits mailing list
389-commits@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-commits@lists.fedoraproject.org

No comments:

Post a Comment