[email protected] wrote: > Full_Name: Mark Reynolds > Version: 2.4.40 > OS: Fedora 20 > URL: ftp://ftp.openldap.org/incoming/mark-reynolds-141112.patch > Submission from: (NULL) (174.60.44.17) > > > Currently there is no check for TLS_PROTOCOL_MIN in the mozNSS code. mozNSS > defaults to SSLv3/TLS1.0 which is no longer considered secure. If a client > only > supports TLSv1.1 and up, the openldap ldapsearch will fail to connect over > SSL. > > ldapsearch -H "ldaps://localhost.localdomain:636" -b "" -s base objectclass=* > > or > > LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -H "ldaps://localhost.localdomain:636" -b > "" > -s base objectclass=* > > The fix is to grab the supported version range from NSS, adjust the minimum > range if TLS_PROTOCOL_MIN is set, and then set the NSS default range with the > min and max versions.
Thanks for the patch. I'm concerned because I see you adding MozNSS constants (SSL_LIBRARY_VERSION_TLS_1_2) in code that expects libldap values (LDAP_OPT_X_TLS_PROTOCOL_TLS1_2). I haven't checked; they may well be identical values. But please make sure, and add a comment to that effect, so that it's clear that setting lt_protocol_min is actually doing what's expected. > > Also updated the NSS version string map table to support up to TLSv1.3 -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
