URL: https://github.com/freeipa/freeipa/pull/396
Author: stlaz
 Title: #396: Explicitly remove support of SSLv2
Action: opened

PR body:
"""
It was possible to set tls_version_min/max to 'ssl2', even though
newer versions of NSS will fail to set this as a valid TLS version.
This patch explicitly checks for deprecated TLS versions prior to
creating a TLS connection.

https://fedorahosted.org/freeipa/ticket/6607
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/396/head:pr396
git checkout pr396
From 4980a7bc7270cba3207daa4a5ce18029bec0a5bb Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Fri, 13 Jan 2017 12:31:29 +0100
Subject: [PATCH] Explicitly remove support of SSLv2

It was possible to set tls_version_min/max to 'ssl2', even though
newer versions of NSS will fail to set this as a valid TLS version.
This patch explicitly checks for deprecated TLS versions prior to
creating a TLS connection.

https://fedorahosted.org/freeipa/ticket/6607
---
 ipapython/nsslib.py | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 51 insertions(+), 2 deletions(-)

diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 08d05fc..7019867 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -23,6 +23,7 @@
 import getpass
 import socket
 from ipapython.ipa_log_manager import root_logger
+from ipalib.errors import InvocationError
 
 from nss.error import NSPRError
 import nss.io as io
@@ -129,6 +130,52 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb):
     socket.AF_UNSPEC: io.PR_AF_UNSPEC
 }
 
+
+def get_proper_tls_version_span(tls_version_min, tls_version_max):
+    tls_versions = [
+        "ssl2",
+        "ssl3",
+        "tls1.0",
+        "tls1.1",
+        "tls1.2"
+    ]
+    # every tls version from `tls_versions` prior to min_allowed_idx
+    # is deprecated in IPA
+    min_allowed_idx = tls_versions.index("ssl3")
+
+    try:
+        min_version_idx = tls_versions.index(tls_version_min)
+    except ValueError:
+        raise InvocationError("API tls_version_min ('{val}') is not a known "
+                              "TLS version.".format(val=tls_version_min))
+
+    try:
+        max_version_idx = tls_versions.index(tls_version_max)
+    except ValueError:
+        raise InvocationError("API tls_version_max ('{val}') is not a known "
+                              "TLS version.".format(val=tls_version_max))
+
+    if min_version_idx > max_version_idx:
+        raise InvocationError("API tls_version_min is higher than "
+                              "tls_version_max.")
+
+    if min_version_idx < min_allowed_idx:
+        min_version_idx = min_allowed_idx
+        root_logger.warning("API tls_version_min set too low ('{old}'),"
+                            "using '{new}' instead"
+                            .format(old=tls_version_min,
+                                    new=tls_versions[min_version_idx]))
+
+    if max_version_idx < min_allowed_idx:
+        max_version_idx = min_version_idx
+        root_logger.warning("API tls_version_max set too low ('{old}'),"
+                            "using '{new}' instead"
+                            .format(old=tls_version_max,
+                                    new=tls_versions[max_version_idx]))
+
+    return tls_versions[min_version_idx:max_version_idx+1]
+
+
 class NSSAddressFamilyFallback(object):
     def __init__(self, family):
         self.sock_family = family
@@ -217,8 +264,10 @@ def __init__(self, host, port=None, strict=None,
 
         ssl.set_domestic_policy()
         nss.set_password_callback(self.password_callback)
-        self.tls_version_min = str(tls_version_min)
-        self.tls_version_max = str(tls_version_max)
+        tls_versions = get_proper_tls_version_span(
+            tls_version_min, tls_version_max)
+        self.tls_version_min = tls_versions[0]
+        self.tls_version_max = tls_versions[-1]
 
     def _create_socket(self):
         ssl_enable_renegotiation = getattr(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to