From: Julio Sánchez Fernández <jsanchez@openldap.org>
Date: Thu, 15 Jul 1999 14:59:09 +0000 (+0000)
Subject: New routine tls_report_error to analyze errors from OpenSSL
X-Git-Tag: OPENLDAP_REL_ENG_2_BP~128
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=41de66a0b2df64d9ac492995875e1d40d72fd376;p=openldap

New routine tls_report_error to analyze errors from OpenSSL
Change temporarily the default protocol from TLSv1 to SSLv3 with
fallback to SSLv2.  This seems necessary for slapd to accept connections
from Netscape.
Try to set the cipher list in the default context.  Does not semm to
work yet.
---

diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 36ad1257bd..a127834152 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -43,6 +43,7 @@ static int tls_remove( Sockbuf *sb );
 static ber_slen_t tls_read( Sockbuf *sb, void *buf, ber_len_t len );
 static ber_slen_t tls_write( Sockbuf *sb, void *buf, ber_len_t len );
 static int tls_close( Sockbuf *sb );
+static int tls_report_error( void );
 
 static Sockbuf_IO tls_io=
 {
@@ -120,12 +121,19 @@ ldap_pvt_tls_init_def_ctx( void )
 	ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
 #endif
 	if ( tls_def_ctx == NULL ) {
-		tls_def_ctx = SSL_CTX_new( TLSv1_method() );
+		tls_def_ctx = SSL_CTX_new( SSLv23_method() );
 		if ( tls_def_ctx == NULL ) {
 			Debug( LDAP_DEBUG_ANY,
 			       "TLS: could not allocate default ctx.\n",0,0,0);
 			goto error_exit;
 		}
+		if ( !SSL_CTX_set_cipher_list( tls_def_ctx,
+			"RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP" ) ) {
+			Debug( LDAP_DEBUG_ANY,
+			       "TLS: could not set cipher list.\n", 0, 0 );
+			tls_report_error();
+			goto error_exit;
+		}
 		if ( !SSL_CTX_load_verify_locations( tls_def_ctx,
 						     tls_opt_cacertfile,
 						     tls_opt_cacertdir ) ||
@@ -286,6 +294,7 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
 			return 1;
 		}
 		Debug( LDAP_DEBUG_ANY,"TLS: can't accept.\n",0,0,0 );
+		tls_report_error();
 		ber_pvt_sb_clear_io( sb );
 		ber_pvt_sb_set_io( sb, &ber_pvt_sb_io_tcp, NULL );
 		return -1;
@@ -427,6 +436,7 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg )
 	default:
 		return -1;
 	}
+	return 0;
 }
 
 static int
@@ -474,6 +484,21 @@ tls_verify_cb( int ok, X509_STORE_CTX *ctx )
 	return 1;
 }
 
+/* Inspired by ERR_print_errors in OpenSSL */
+static int
+tls_report_error( void )
+{
+        unsigned long l;
+        char buf[200];
+        const char *file;
+        int line;
+
+        while ( ( l = ERR_get_error_line( &file, &line ) ) != 0 ) {
+			Debug( LDAP_DEBUG_ANY, "TLS: %s %s:%d\n",
+			       ERR_error_string( l, buf ), file, line );
+        }
+}
+
 #else
 static int dummy;
 #endif