[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7979) mozNSS does not process TLS_PROTOCOL_MIN



On 11/12/2014 04:56 PM, Howard Chu wrote:
> mreynolds@redhat.com wrote:
>> Full_Name: Mark Reynolds
>> Version: 2.4.40
>> OS: Fedora 20
>> URL: ftp://ftp.openldap.org/incoming/mark-reynolds-141112.patch
>> Submission from: (NULL) (174.60.44.17)
>>
>>
>> Currently there is no check for TLS_PROTOCOL_MIN in the mozNSS code. 
>> mozNSS
>> defaults to SSLv3/TLS1.0 which is no longer considered secure.  If a
>> client only
>> supports TLSv1.1 and up, the openldap ldapsearch will fail to connect
>> over SSL.
>>
>> ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base
>> objectclass=*
>>
>> or
>>
>> LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -H
>> "ldaps://localhost.localdomain:636" -b ""
>> -s base objectclass=*
>>
>> The fix is to grab the supported version range from NSS, adjust the
>> minimum
>> range if TLS_PROTOCOL_MIN is set, and then set the NSS default range
>> with the
>> min and max versions.
>
> Thanks for the patch. I'm concerned because I see you adding MozNSS
> constants (SSL_LIBRARY_VERSION_TLS_1_2) in code that expects libldap
> values (LDAP_OPT_X_TLS_PROTOCOL_TLS1_2). I haven't checked; they may
> well be identical values. But please make sure, and add a comment to
> that effect, so that it's clear that setting lt_protocol_min is
> actually doing what's expected.
Thanks for the feedback Howard.  Yes, the SSL versions are the same in
NSS & openldap.  I have uploaded a new patch with the requested
comments:  mark-reynolds-141113.patch

On a side note, we are pushing the NSS team to update the NSS API to
provide the SSL version to version string mapping.  So we will be able
to  remove the hardcoded map(pvers) in openldap once this get addressed.

Regards,
Mark
>>
>> Also updated the NSS version string map table to support up to TLSv1.3
>