ITS#6790

diff --git a/CHANGES b/CHANGES
index 688e60ae05d97995ef22ab3da5a8d556f3517856..e737c1fda740f7917ae2f21628d91fd7b3be47f5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -35,7 +35,8 @@ OpenLDAP 2.4.24 Engineering
        Fixed libldap leak when chasing referrals (ITS#6744)
        Fixed libldap url parsing with NULL host (ITS#6653)
        Fixed libldap ldap_open_internal_connection (ITS#6788)
-       Fixed libldap sync checking for BER errors (ITS#6738)
+       Fixed libldap sync checking for BER errors (ITS#6738)   
+       Fixed libldap MozNSS default cipher suites (ITS#6790)
        Fixed liblutil getpass prompts (ITS#6702)
        Fixed ldapsearch segfault with deref (ITS#6638)
        Fixed ldapsearch multiple controls parsing (ITS#6651)

diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index d921f6a7a161558ae9528e817920c48446dbb1f2..f7840b26902d7b50df08e49afc1351afdafa8c8a 100644 (file)
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -210,7 +210,7 @@ static cipher_properties ciphers_def[] = {
 
        /* SSL3 ciphers */
        {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
-       {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_NOT_ALLOWED},
+       {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
        {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
        {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
        {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
@@ -221,8 +221,8 @@ static cipher_properties ciphers_def[] = {
        /* TLSv1 ciphers */
        {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
        {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
-       {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_NOT_ALLOWED},
-       {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_NOT_ALLOWED},
+       {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
+       {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
 };
 
 #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
@@ -2004,7 +2004,12 @@ tlsm_deferred_ctx_init( void *arg )
                       "TLS: could not set cipher list %s.\n",
                       lt->lt_ciphersuite, 0, 0 );
                return -1;
-       }
+       } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
+               Debug( LDAP_DEBUG_ANY,
+                      "TLS: could not set cipher list DEFAULT.\n",
+                      0, 0, 0 );
+               return -1;
+       }
 
        if ( ctx->tc_require_cert ) {
                request_cert = PR_TRUE;