ITS#7979 MozNSS fix for TLS_PROTOCOL_MIN

Fix NSS code to check for TLS_PROCOTOL_MIN, and then set the SSL
version range(min and max). Also updated SSL version string map
table to support up to TLSv1.3

diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index c1d0c2eefe4384aa03cf437ecdead3e3ed235cf9..f2b4794af13d074c74c94cfd181280a255d056d3 100644 (file)
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1641,6 +1641,8 @@ tlsm_deferred_init( void *arg )
        NSSInitContext *initctx = NULL;
        PK11SlotInfo *certdb_slot = NULL;
 #endif
+       SSLVersionRange range;
+       SSLProtocolVariant variant;
        SECStatus rc;
        int done = 0;
 
@@ -1825,6 +1827,16 @@ tlsm_deferred_init( void *arg )
                        ctx->tc_using_pem = PR_TRUE;
                }
 
+               /*
+                * Set the SSL version range.  MozNSS SSL versions are the same as openldap's:
+                *
+                * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
+                */
+               SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
+               range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
+               variant = ssl_variant_stream;
+               SSL_VersionRangeSetDefault(variant, &range);
+
                NSS_SetDomesticPolicy();
 
                PK11_SetPasswordFunc( tlsm_pin_prompt );
@@ -2850,7 +2862,11 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
        return 0;
 }
 
-/* Yet again, we're pasting in glue that MozNSS ought to provide itself. */
+/*
+ * Yet again, we're pasting in glue that MozNSS ought to provide itself.
+ *
+ * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
+ */
 static struct {
        const char *name;
        int num;
@@ -2859,6 +2875,8 @@ static struct {
        { "SSLv3", SSL_LIBRARY_VERSION_3_0 },
        { "TLSv1", SSL_LIBRARY_VERSION_TLS_1_0 },
        { "TLSv1.1", SSL_LIBRARY_VERSION_TLS_1_1 },
+       { "TLSv1.2", SSL_LIBRARY_VERSION_TLS_1_2 },
+       { "TLSv1.3", SSL_LIBRARY_VERSION_TLS_1_3 },
        { NULL, 0 }
 };