From: Mark Reynolds Date: Thu, 13 Nov 2014 14:49:19 +0000 (-0500) Subject: ITS#7979 MozNSS fix for TLS_PROTOCOL_MIN X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=7a7d9419432954cac18a582bed85a7c489d90f00;p=openldap ITS#7979 MozNSS fix for TLS_PROTOCOL_MIN Fix NSS code to check for TLS_PROCOTOL_MIN, and then set the SSL version range(min and max). Also updated SSL version string map table to support up to TLSv1.3 --- diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c index c1d0c2eefe..f2b4794af1 100644 --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c @@ -1641,6 +1641,8 @@ tlsm_deferred_init( void *arg ) NSSInitContext *initctx = NULL; PK11SlotInfo *certdb_slot = NULL; #endif + SSLVersionRange range; + SSLProtocolVariant variant; SECStatus rc; int done = 0; @@ -1825,6 +1827,16 @@ tlsm_deferred_init( void *arg ) ctx->tc_using_pem = PR_TRUE; } + /* + * Set the SSL version range. MozNSS SSL versions are the same as openldap's: + * + * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* + */ + SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */ + range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min; + variant = ssl_variant_stream; + SSL_VersionRangeSetDefault(variant, &range); + NSS_SetDomesticPolicy(); PK11_SetPasswordFunc( tlsm_pin_prompt ); @@ -2850,7 +2862,11 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server) return 0; } -/* Yet again, we're pasting in glue that MozNSS ought to provide itself. */ +/* + * Yet again, we're pasting in glue that MozNSS ought to provide itself. + * + * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* + */ static struct { const char *name; int num; @@ -2859,6 +2875,8 @@ static struct { { "SSLv3", SSL_LIBRARY_VERSION_3_0 }, { "TLSv1", SSL_LIBRARY_VERSION_TLS_1_0 }, { "TLSv1.1", SSL_LIBRARY_VERSION_TLS_1_1 }, + { "TLSv1.2", SSL_LIBRARY_VERSION_TLS_1_2 }, + { "TLSv1.3", SSL_LIBRARY_VERSION_TLS_1_3 }, { NULL, 0 } };