Rich Megginson [Tue, 16 Aug 2011 18:01:16 +0000 (12:01 -0600)]
ITS#7022 NSS_Init* functions are not thread safe
The NSS_InitContext et. al, and their corresponding shutdown functions,
are not thread safe. There can only be one thread at a time calling
these functions. Protect the calls with a mutex. Create the mutex
using a PR_CallOnce to ensure that the mutex is only created once and
not used before created. Move the registration of the nss shutdown
callback to also use a PR_CallOnce. Removed the call to
SSL_ClearSessionCache() because it is always called at shutdown, and we must
not call it more than once.
Jan Vcelak [Tue, 9 Aug 2011 13:21:34 +0000 (15:21 +0200)]
ITS#7014 TLS: don't check hostname if reqcert is 'allow'
If server certificate hostname does not match the server hostname,
connection is closed even if client has set TLS_REQCERT to 'allow'. This
is wrong - the documentation says, that bad certificates are being
ignored when TLS_REQCERT is set to 'allow'.
If the olcTLSVerifyClient is set to a value other than "never", the server
should request that the client send a client certificate for possible use
with client cert auth (e.g. SASL/EXTERNAL).
If set to "allow", if the client sends a cert, and there are problems with
it, the server will warn about problems, but will allow the SSL session to
proceed without a client cert.
If set to "try", if the client sends a cert, and there are problems with
it, the server will warn about those problems, and shutdown the SSL session.
If set to "demand" or "hard", the client must send a cert, and the server
will shutdown the SSL session if there are problems.
I added a new member of the tlsm context structure - tc_warn_only - if this
is set, tlsm_verify_cert will only warn about errors, and only if TRACE
level debug is set. This allows the server to warn but allow bad certs
if "allow" is set, and warn and fail if "try" is set.
ITS#7001 MozNSS: free the return of tlsm_find_and_verify_cert_key
If tlsm_find_and_verify_cert_key finds the cert and/or key, and it fails
to verify them, it will leave them allocated for the caller to dispose of.
There were a couple of places that were not disposing of the cert and key
upon error.
Jan Vcelak [Wed, 20 Jul 2011 16:55:33 +0000 (18:55 +0200)]
ITS#6998 MozNSS: when cert not required, ignore issuer expiration
When server certificate is not required in a TLS session (e.g.
TLS_REQCERT is set to 'never'), ignore expired issuer certificate error
and do not terminate the connection.
Rich Megginson [Wed, 29 Jun 2011 16:47:10 +0000 (10:47 -0600)]
ITS#6980 free the result of SSL_PeerCertificate
In tlsm_auth_cert_handler, we get the peer's cert from the socket using
SSL_PeerCertificate. This value is allocated and/or cached. We must
destroy it using CERT_DestroyCertificate.
Rich Megginson [Tue, 21 Jun 2011 00:28:48 +0000 (18:28 -0600)]
ITS#6975 MozNSS - allow cacertdir in most cases
OpenLDAP built with OpenSSL allows most any value of cacertdir - directory
is a file, directory does not contain any CA certs, directory does not
exist - users expect if they specify TLS_REQCERT=never, no matter what
the TLS_CACERTDIR setting is, TLS/SSL will just work.
TLS_CACERT, on the other hand, is a hard error. Even if TLS_REQCERT=never,
if TLS_CACERT is specified and is not a valid CA cert file, TLS/SSL will
fail. This patch makes CACERT errors hard errors, and makes CACERTDIR
errors "soft" errors. The code checks CACERT first and, even though
the function will return an error, checks CACERTDIR anyway so that if the
user sets TRACE mode they will get CACERTDIR processing messages.