openldap/openldap-nss-cipher-suites.patch

Makes tls_m use the "DEFAULT" list and adds more cipher suites to the default list.

Upstream ITS: #6790
Resolves: #669446
Author: Rich Megginson <rmeggins@redhat.com>

diff -uNrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/libldap/tls_m.c
--- openldap-2.4.23/libraries/libldap/tls_m.c	2011-01-20 16:23:45.326428779 +0100
+++ openldap-2.4.23/libraries/libldap/tls_m.c	2011-01-20 16:25:05.667128309 +0100
@@ -214,7 +214,7 @@ static cipher_properties ciphers_def[] =
 
 	/* SSL3 ciphers */
 	{"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
-	{"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_NOT_ALLOWED},
+	{"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
 	{"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
 	{"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
 	{"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
@@ -225,8 +225,8 @@ static cipher_properties ciphers_def[] =
 	/* TLSv1 ciphers */
 	{"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
 	{"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
-	{"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_NOT_ALLOWED},
-	{"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_NOT_ALLOWED},
+	{"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
+	{"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
 };
 
 #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
@@ -2016,7 +2016,12 @@ tlsm_deferred_ctx_init( void *arg )
 		       "TLS: could not set cipher list %s.\n",
 		       lt->lt_ciphersuite, 0, 0 );
 		return -1;
- 	}
+	} else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
+ 		Debug( LDAP_DEBUG_ANY,
+		       "TLS: could not set cipher list DEFAULT.\n",
+		       0, 0, 0 );
+		return -1;
+	}
 
 	if ( ctx->tc_require_cert ) {
 		request_cert = PR_TRUE;
fix: default encryption strength dropped in switch to using NSS Resolves: #669446 2011-01-20 15:35:38 +00:00			`Makes tls_m use the "DEFAULT" list and adds more cipher suites to the default list.`

			`Upstream ITS: #6790`
			`Resolves: #669446`
			`Author: Rich Megginson <rmeggins@redhat.com>`

			`diff -uNrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/libldap/tls_m.c`
			`--- openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:23:45.326428779 +0100`
			`+++ openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:25:05.667128309 +0100`
			`@@ -214,7 +214,7 @@ static cipher_properties ciphers_def[] =`

			`/* SSL3 ciphers */`
			`{"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA\|SSL_aRSA\|SSL_RC4\|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},`
			`- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA\|SSL_aRSA\|SSL_RC4\|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_NOT_ALLOWED},`
			`+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA\|SSL_aRSA\|SSL_RC4\|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},`
			`{"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA\|SSL_aRSA\|SSL_3DES\|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},`
			`{"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA\|SSL_aRSA\|SSL_DES\|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},`
			`{"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA\|SSL_aRSA\|SSL_RC4\|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},`
			`@@ -225,8 +225,8 @@ static cipher_properties ciphers_def[] =`
			`/* TLSv1 ciphers */`
			`{"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA\|SSL_aRSA\|SSL_DES\|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},`
			`{"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA\|SSL_aRSA\|SSL_RC4\|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},`
			`- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA\|SSL_aRSA\|SSL_AES\|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_NOT_ALLOWED},`
			`- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA\|SSL_aRSA\|SSL_AES\|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_NOT_ALLOWED},`
			`+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA\|SSL_aRSA\|SSL_AES\|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},`
			`+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA\|SSL_aRSA\|SSL_AES\|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},`
			`};`

			`#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))`
			`@@ -2016,7 +2016,12 @@ tlsm_deferred_ctx_init( void *arg )`
			`"TLS: could not set cipher list %s.\n",`
			`lt->lt_ciphersuite, 0, 0 );`
			`return -1;`
			`- }`
			`+ } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {`
			`+ Debug( LDAP_DEBUG_ANY,`
			`+ "TLS: could not set cipher list DEFAULT.\n",`
			`+ 0, 0, 0 );`
			`+ return -1;`
			`+ }`

			`if ( ctx->tc_require_cert ) {`
			`request_cert = PR_TRUE;`