From 506961b758c0c4575fbc15f8cdba255259f36524 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Thu, 27 Jan 2011 21:51:48 +0000
Subject: [PATCH] ITS#6790

---
 CHANGES                   |  3 ++-
 libraries/libldap/tls_m.c | 13 +++++++++----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 688e60ae05..e737c1fda7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -35,7 +35,8 @@ OpenLDAP 2.4.24 Engineering
 	Fixed libldap leak when chasing referrals (ITS#6744)
 	Fixed libldap url parsing with NULL host (ITS#6653)
 	Fixed libldap ldap_open_internal_connection (ITS#6788)
-	Fixed libldap sync checking for BER errors (ITS#6738)
+	Fixed libldap sync checking for BER errors (ITS#6738)	
+	Fixed libldap MozNSS default cipher suites (ITS#6790)
 	Fixed liblutil getpass prompts (ITS#6702)
 	Fixed ldapsearch segfault with deref (ITS#6638)
 	Fixed ldapsearch multiple controls parsing (ITS#6651)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index d921f6a7a1..f7840b2690 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -210,7 +210,7 @@ static cipher_properties ciphers_def[] = {
 
 	/* SSL3 ciphers */
 	{"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
-	{"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_NOT_ALLOWED},
+	{"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
 	{"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
 	{"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
 	{"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
@@ -221,8 +221,8 @@ static cipher_properties ciphers_def[] = {
 	/* TLSv1 ciphers */
 	{"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
 	{"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
-	{"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_NOT_ALLOWED},
-	{"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_NOT_ALLOWED},
+	{"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
+	{"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
 };
 
 #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
@@ -2004,7 +2004,12 @@ tlsm_deferred_ctx_init( void *arg )
 		       "TLS: could not set cipher list %s.\n",
 		       lt->lt_ciphersuite, 0, 0 );
 		return -1;
- 	}
+	} else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
+ 		Debug( LDAP_DEBUG_ANY,
+		       "TLS: could not set cipher list DEFAULT.\n",
+		       0, 0, 0 );
+		return -1;
+	}
 
 	if ( ctx->tc_require_cert ) {
 		request_cert = PR_TRUE;
-- 
2.39.5