link against moznss again (#1187742)
Revert "link against openssl by default"
This reverts commit 72da77adb6
.
This commit is contained in:
parent
1fb41f2a59
commit
592250ebfb
49
openldap-autoconf-pkgconfig-nss.patch
Normal file
49
openldap-autoconf-pkgconfig-nss.patch
Normal file
@ -0,0 +1,49 @@
|
||||
Use pkg-config for Mozilla NSS library detection
|
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
|
||||
---
|
||||
configure.in | 22 +++++-----------------
|
||||
1 file changed, 5 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/configure.in b/configure.in
|
||||
index ecffe30..2a9cfb4 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then
|
||||
fi
|
||||
fi
|
||||
|
||||
-dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3
|
||||
-dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs
|
||||
-dnl are not in the default system location
|
||||
if test $ol_link_tls = no ; then
|
||||
if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then
|
||||
- have_moznss=no
|
||||
- AC_CHECK_HEADERS([nssutil.h])
|
||||
- if test "$ac_cv_header_nssutil_h" = yes ; then
|
||||
- AC_CHECK_LIB([nss3], [NSS_Initialize],
|
||||
- [ have_moznss=yes ], [ have_moznss=no ])
|
||||
- fi
|
||||
+ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no])
|
||||
|
||||
- if test "$have_moznss" = yes ; then
|
||||
+ if test $have_moznss = yes ; then
|
||||
ol_with_tls=moznss
|
||||
ol_link_tls=yes
|
||||
- AC_DEFINE(HAVE_MOZNSS, 1,
|
||||
- [define if you have MozNSS])
|
||||
- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
|
||||
- else
|
||||
- if test $ol_with_tls = moznss ; then
|
||||
- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)])
|
||||
- fi
|
||||
+ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS])
|
||||
+ TLS_LIBS="$MOZNSS_LIBS"
|
||||
+ CFLAGS="$CFLAGS $MOZNSS_CFLAGS"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
--
|
||||
1.7.11.7
|
||||
|
47
openldap-nss-allow-certname-with-token-name.patch
Normal file
47
openldap-nss-allow-certname-with-token-name.patch
Normal file
@ -0,0 +1,47 @@
|
||||
Accept nss certificate name in the form of tokenname:certnickname
|
||||
|
||||
Author: Rich Megginson <rmeggins@redhat.com>
|
||||
Upstream ITS: #7360
|
||||
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
index 5022efb..7377bb1 100644
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -2102,6 +2102,22 @@ tlsm_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* returns true if the given string looks like
|
||||
+ "tokenname" ":" "certnickname"
|
||||
+ This is true if there is a ':' colon character
|
||||
+ in the string and the colon is not the first
|
||||
+ or the last character in the string
|
||||
+*/
|
||||
+static int
|
||||
+tlsm_is_tokenname_certnick( const char *certfile )
|
||||
+{
|
||||
+ if ( certfile ) {
|
||||
+ const char *ptr = PL_strchr( certfile, ':' );
|
||||
+ return ptr && (ptr != certfile) && (*(ptr+1));
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
tlsm_deferred_ctx_init( void *arg )
|
||||
{
|
||||
@@ -2268,7 +2284,10 @@ tlsm_deferred_ctx_init( void *arg )
|
||||
} else {
|
||||
char *tmp_certname;
|
||||
|
||||
- if (ctx->tc_certdb_slot) {
|
||||
+ if (tlsm_is_tokenname_certnick(lt->lt_certfile)) {
|
||||
+ /* assume already in form tokenname:certnickname */
|
||||
+ tmp_certname = PL_strdup(lt->lt_certfile);
|
||||
+ } else if (ctx->tc_certdb_slot) {
|
||||
tmp_certname = PR_smprintf(TLSM_CERTDB_DESC_FMT ":%s", ctx->tc_unique, lt->lt_certfile);
|
||||
} else {
|
||||
tmp_certname = PR_smprintf("%s", lt->lt_certfile);
|
||||
--
|
||||
1.7.11.4
|
||||
|
86
openldap-nss-certs-from-certdb-fallback-pem.patch
Normal file
86
openldap-nss-certs-from-certdb-fallback-pem.patch
Normal file
@ -0,0 +1,86 @@
|
||||
MozNSS: load certificates from certdb, fallback to PEM
|
||||
|
||||
If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
|
||||
certificate database, the backend assumed that the certificate is always
|
||||
located in the certificate database. This assumption might be wrong.
|
||||
|
||||
This patch makes the library to try to load the certificate from NSS
|
||||
database and fallback to PEM file if unsuccessfull.
|
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
Upstream ITS: #7389
|
||||
Resolves: #857455
|
||||
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
index 6847bea..8339391 100644
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx )
|
||||
/* prefer unlocked key, then key from opened certdb, then any other */
|
||||
if ( unlocked_key )
|
||||
ctx->tc_private_key = unlocked_key;
|
||||
- else if ( ctx->tc_certdb_slot )
|
||||
+ else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem )
|
||||
ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg );
|
||||
else
|
||||
ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg );
|
||||
@@ -1909,8 +1909,6 @@ tlsm_deferred_init( void *arg )
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
-
|
||||
- ctx->tc_using_pem = PR_TRUE;
|
||||
}
|
||||
|
||||
NSS_SetDomesticPolicy();
|
||||
@@ -2363,15 +2361,9 @@ tlsm_deferred_ctx_init( void *arg )
|
||||
|
||||
/* set up our cert and key, if any */
|
||||
if ( lt->lt_certfile ) {
|
||||
- /* if using the PEM module, load the PEM file specified by lt_certfile */
|
||||
- /* otherwise, assume this is the name of a cert already in the db */
|
||||
- if ( ctx->tc_using_pem ) {
|
||||
- /* this sets ctx->tc_certificate to the correct value */
|
||||
- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE );
|
||||
- if ( rc ) {
|
||||
- return rc;
|
||||
- }
|
||||
- } else {
|
||||
+
|
||||
+ /* first search in certdb (lt_certfile is nickname) */
|
||||
+ if ( ctx->tc_certdb ) {
|
||||
char *tmp_certname;
|
||||
|
||||
if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) {
|
||||
@@ -2391,8 +2383,31 @@ tlsm_deferred_ctx_init( void *arg )
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
|
||||
lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* fallback to PEM module (lt_certfile is filename) */
|
||||
+ if ( !ctx->tc_certificate ) {
|
||||
+ if ( !pem_module && tlsm_init_pem_module() ) {
|
||||
+ int pem_errcode = PORT_GetError();
|
||||
+ Debug( LDAP_DEBUG_ANY,
|
||||
+ "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n",
|
||||
+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
||||
return -1;
|
||||
}
|
||||
+
|
||||
+ /* this sets ctx->tc_certificate to the correct value */
|
||||
+ if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) {
|
||||
+ ctx->tc_using_pem = PR_TRUE;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if ( ctx->tc_certificate ) {
|
||||
+ Debug( LDAP_DEBUG_ANY,
|
||||
+ "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile,
|
||||
+ ctx->tc_using_pem ? "PEM file" : "moznss database", 0);
|
||||
+ } else {
|
||||
+ return -1;
|
||||
}
|
||||
}
|
||||
|
34
openldap-nss-default-cipher-suite-always-selected.patch
Normal file
34
openldap-nss-default-cipher-suite-always-selected.patch
Normal file
@ -0,0 +1,34 @@
|
||||
MozNSS: default cipher suite always selected
|
||||
|
||||
Author: Tim Strobell <tim.strobell.ctr@nrl.navy.mil>
|
||||
Upstream ITS: #7285
|
||||
Upstream commit: 2c2bb2e7aee1b2167f383a8344985a1cf66aff3f
|
||||
Resolves: #828790
|
||||
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
index 23d843c..b608551 100644
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -2218,12 +2218,13 @@ tlsm_deferred_ctx_init( void *arg )
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if ( lt->lt_ciphersuite &&
|
||||
- tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
|
||||
- Debug( LDAP_DEBUG_ANY,
|
||||
- "TLS: could not set cipher list %s.\n",
|
||||
- lt->lt_ciphersuite, 0, 0 );
|
||||
- return -1;
|
||||
+ if ( lt->lt_ciphersuite ) {
|
||||
+ if ( tlsm_parse_ciphers( ctx, lt->lt_ciphersuite ) ) {
|
||||
+ Debug( LDAP_DEBUG_ANY,
|
||||
+ "TLS: could not set cipher list %s.\n",
|
||||
+ lt->lt_ciphersuite, 0, 0 );
|
||||
+ return -1;
|
||||
+ }
|
||||
} else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"TLS: could not set cipher list DEFAULT.\n",
|
||||
--
|
||||
1.7.10.4
|
||||
|
47
openldap-nss-ignore-certdb-type-prefix.patch
Normal file
47
openldap-nss-ignore-certdb-type-prefix.patch
Normal file
@ -0,0 +1,47 @@
|
||||
MozNSS: ignore certdb database type prefix when checking existence of the directory
|
||||
|
||||
If the certdb is specified including the database type prefix (e.g.
|
||||
sql:, dbm:), the prefix has to be ignored when checking the
|
||||
certificate directory existence.
|
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
Upstream ITS: #7388
|
||||
Resolves: #857373
|
||||
|
||||
---
|
||||
libraries/libldap/tls_m.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
index 49a3f8f..5ee21a2 100644
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -1633,6 +1633,7 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
|
||||
{
|
||||
char sep = PR_GetDirectorySeparator();
|
||||
char *ptr = NULL;
|
||||
+ char *chkpath = NULL;
|
||||
struct PRFileInfo prfi;
|
||||
PRStatus prc;
|
||||
|
||||
@@ -1643,8 +1644,16 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
|
||||
return;
|
||||
}
|
||||
|
||||
- prc = PR_GetFileInfo( certdir, &prfi );
|
||||
+ /* ignore database type prefix (e.g. sql:, dbm:) if provided */
|
||||
+ chkpath = strchr( certdir, ':' );
|
||||
+ if ( chkpath != NULL ) {
|
||||
+ chkpath += 1;
|
||||
+ } else {
|
||||
+ chkpath = certdir;
|
||||
+ }
|
||||
+
|
||||
/* if certdir exists (file or directory) then it cannot specify a prefix */
|
||||
+ prc = PR_GetFileInfo( chkpath, &prfi );
|
||||
if ( prc == PR_SUCCESS ) {
|
||||
return;
|
||||
}
|
||||
--
|
||||
1.7.11.7
|
||||
|
1029
openldap-nss-multiple-tls-contexts.patch
Normal file
1029
openldap-nss-multiple-tls-contexts.patch
Normal file
File diff suppressed because it is too large
Load Diff
23
openldap-nss-pk11-freeslot.patch
Normal file
23
openldap-nss-pk11-freeslot.patch
Normal file
@ -0,0 +1,23 @@
|
||||
Resolves: #929357
|
||||
|
||||
Upstream commit: 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec
|
||||
Author: Rich Megginson <rmeggins@redhat.com>
|
||||
Date: Thu, 28 Mar 2013 19:05:02 -0600
|
||||
Modified by: Jan Synacek <jsynacek@redhat.com>
|
||||
|
||||
This patch has been re-diffed so it clearly applies to OpenLDAP 2.4.39.
|
||||
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
index 072d41d..c59d303 100644
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -2151,6 +2151,8 @@
|
||||
"TLS: could not close certdb slot - error %d:%s.\n",
|
||||
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
||||
}
|
||||
+ PK11_FreeSlot( c->tc_certdb_slot );
|
||||
+ c->tc_certdb_slot = NULL;
|
||||
}
|
||||
if ( c->tc_pin_file ) {
|
||||
PL_strfree( c->tc_pin_file );
|
||||
|
91
openldap-nss-regex-search-hashed-cacert-dir.patch
Normal file
91
openldap-nss-regex-search-hashed-cacert-dir.patch
Normal file
@ -0,0 +1,91 @@
|
||||
MozNSS: better file name matching for hashed CA certificate directory
|
||||
|
||||
CA certificate files in OpenSSL compatible CACERTDIR were loaded if the file extension was '.0'. However the file name
|
||||
should be 8 letters long certificate hash of the certificate subject name, followed by a numeric suffix which is used
|
||||
to differentiate between two certificates with the same subject name.
|
||||
|
||||
Wit this patch, certificate file names are matched correctly (using regular expressions).
|
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
Upstream ITS: #7374
|
||||
Resolves: #852786
|
||||
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
index 5e49fc5..61d71d4 100644
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -38,6 +38,7 @@
|
||||
#include <ac/unistd.h>
|
||||
#include <ac/param.h>
|
||||
#include <ac/dirent.h>
|
||||
+#include <ac/regex.h>
|
||||
|
||||
#include "ldap-int.h"
|
||||
#include "ldap-tls.h"
|
||||
@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods;
|
||||
|
||||
#define PEM_LIBRARY "nsspem"
|
||||
#define PEM_MODULE "PEM"
|
||||
-/* hash files for use with cacertdir have this file name suffix */
|
||||
-#define PEM_CA_HASH_FILE_SUFFIX ".0"
|
||||
-#define PEM_CA_HASH_FILE_SUFFIX_LEN 2
|
||||
+#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$"
|
||||
|
||||
static SECMODModule *pem_module;
|
||||
|
||||
@@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
|
||||
PRDir *dir;
|
||||
PRDirEntry *entry;
|
||||
PRStatus fistatus = PR_FAILURE;
|
||||
+ regex_t hashfile_re;
|
||||
|
||||
memset( &fi, 0, sizeof(fi) );
|
||||
fistatus = PR_GetFileInfo( cacertdir, &fi );
|
||||
@@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) {
|
||||
+ Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 );
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
do {
|
||||
entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
|
||||
if ( ( NULL != entry ) && ( NULL != entry->name ) ) {
|
||||
char *fullpath = NULL;
|
||||
- char *ptr;
|
||||
+ int match;
|
||||
|
||||
- ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX );
|
||||
- if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) {
|
||||
+ match = regexec( &hashfile_re, entry->name, 0, NULL, 0 );
|
||||
+ if ( match == REG_NOMATCH ) {
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
- "TLS: file %s does not end in [%s] - does not appear to be a CA certificate "
|
||||
- "directory file with a properly hashed file name - skipping.\n",
|
||||
- entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 );
|
||||
+ "TLS: skipping '%s' - filename does not have expected format "
|
||||
+ "(certificate hash with numeric suffix)\n", entry->name, 0, 0 );
|
||||
+ continue;
|
||||
+ } else if ( match != 0 ) {
|
||||
+ Debug( LDAP_DEBUG_ANY,
|
||||
+ "TLS: cannot execute regex for CA hash file matching (%d).\n",
|
||||
+ match, 0, 0 );
|
||||
continue;
|
||||
}
|
||||
+
|
||||
fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
|
||||
if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
@@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
|
||||
PR_smprintf_free( fullpath );
|
||||
}
|
||||
} while ( NULL != entry );
|
||||
+ regfree ( &hashfile_re );
|
||||
PR_CloseDir( dir );
|
||||
}
|
||||
done:
|
||||
--
|
||||
1.7.11.4
|
||||
|
193
openldap-nss-update-list-of-ciphers.patch
Normal file
193
openldap-nss-update-list-of-ciphers.patch
Normal file
@ -0,0 +1,193 @@
|
||||
MozNSS: update list of supported cipher suites
|
||||
|
||||
The updated list includes all ciphers implemented in Mozilla NSS 3.13.15
|
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
Upstream ITS: #7374
|
||||
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
index 1422ce2..5e49fc5 100644
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -211,27 +211,34 @@ typedef struct {
|
||||
int num; /* The cipher id */
|
||||
int attr; /* cipher attributes: algorithms, etc */
|
||||
int version; /* protocol version valid for this cipher */
|
||||
- int bits; /* bits of strength */
|
||||
- int alg_bits; /* bits of the algorithm */
|
||||
int strength; /* LOW, MEDIUM, HIGH */
|
||||
int enabled; /* Enabled by default? */
|
||||
} cipher_properties;
|
||||
|
||||
/* cipher attributes */
|
||||
-#define SSL_kRSA 0x00000001L
|
||||
-#define SSL_aRSA 0x00000002L
|
||||
-#define SSL_aDSS 0x00000004L
|
||||
-#define SSL_DSS SSL_aDSS
|
||||
-#define SSL_eNULL 0x00000008L
|
||||
-#define SSL_DES 0x00000010L
|
||||
-#define SSL_3DES 0x00000020L
|
||||
-#define SSL_RC4 0x00000040L
|
||||
-#define SSL_RC2 0x00000080L
|
||||
-#define SSL_AES 0x00000100L
|
||||
-#define SSL_MD5 0x00000200L
|
||||
-#define SSL_SHA1 0x00000400L
|
||||
-#define SSL_SHA SSL_SHA1
|
||||
-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
|
||||
+#define SSL_kRSA 0x00000001L
|
||||
+#define SSL_aRSA 0x00000002L
|
||||
+#define SSL_RSA (SSL_kRSA|SSL_aRSA)
|
||||
+#define SSL_aDSA 0x00000004L
|
||||
+#define SSL_DSA SSL_aDSA
|
||||
+#define SSL_eNULL 0x00000008L
|
||||
+#define SSL_DES 0x00000010L
|
||||
+#define SSL_3DES 0x00000020L
|
||||
+#define SSL_RC4 0x00000040L
|
||||
+#define SSL_RC2 0x00000080L
|
||||
+#define SSL_AES128 0x00000100L
|
||||
+#define SSL_AES256 0x00000200L
|
||||
+#define SSL_AES (SSL_AES128|SSL_AES256)
|
||||
+#define SSL_MD5 0x00000400L
|
||||
+#define SSL_SHA1 0x00000800L
|
||||
+#define SSL_kEDH 0x00001000L
|
||||
+#define SSL_CAMELLIA128 0x00002000L
|
||||
+#define SSL_CAMELLIA256 0x00004000L
|
||||
+#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
|
||||
+#define SSL_SEED 0x00008000L
|
||||
+#define SSL_kECDH 0x00010000L
|
||||
+#define SSL_kECDHE 0x00020000L
|
||||
+#define SSL_aECDSA 0x00040000L
|
||||
|
||||
/* cipher strength */
|
||||
#define SSL_NULL 0x00000001L
|
||||
@@ -248,29 +255,70 @@ typedef struct {
|
||||
|
||||
/* Cipher translation */
|
||||
static cipher_properties ciphers_def[] = {
|
||||
- /* SSL 2 ciphers */
|
||||
- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
|
||||
- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
||||
- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
||||
-
|
||||
- /* SSL3 ciphers */
|
||||
- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
||||
- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
|
||||
- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
||||
- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
|
||||
- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+
|
||||
+ /*
|
||||
+ * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2
|
||||
+ */
|
||||
+
|
||||
+ /* SSLv2 ciphers */
|
||||
+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW, SSL_NOT_ALLOWED},
|
||||
+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH, SSL_NOT_ALLOWED},
|
||||
+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED},
|
||||
+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED},
|
||||
+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
|
||||
+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
|
||||
+
|
||||
+ /* SSLv3 ciphers */
|
||||
+ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
|
||||
+ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED},
|
||||
+ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED},
|
||||
+ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
|
||||
+ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
|
||||
+ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
|
||||
|
||||
/* TLSv1 ciphers */
|
||||
- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
|
||||
- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
|
||||
- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
|
||||
- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED},
|
||||
+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED},
|
||||
+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
|
||||
+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
|
||||
+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
|
||||
};
|
||||
|
||||
#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
|
||||
@@ -577,6 +625,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
mask |= SSL_RSA;
|
||||
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
|
||||
mask |= SSL_eNULL;
|
||||
+ } else if (!strcmp(cipher, "AES128")) {
|
||||
+ mask |= SSL_AES128;
|
||||
+ } else if (!strcmp(cipher, "AES256")) {
|
||||
+ mask |= SSL_AES256;
|
||||
} else if (!strcmp(cipher, "AES")) {
|
||||
mask |= SSL_AES;
|
||||
} else if (!strcmp(cipher, "3DES")) {
|
||||
@@ -591,6 +643,24 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
||||
mask |= SSL_MD5;
|
||||
} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
|
||||
mask |= SSL_SHA1;
|
||||
+ } else if (!strcmp(cipher, "EDH")) {
|
||||
+ mask |= SSL_kEDH;
|
||||
+ } else if (!strcmp(cipher, "DSS")) {
|
||||
+ mask |= SSL_aDSA;
|
||||
+ } else if (!strcmp(cipher, "CAMELLIA128")) {
|
||||
+ mask |= SSL_CAMELLIA128;
|
||||
+ } else if (!strcmp(cipher, "CAMELLIA256")) {
|
||||
+ mask |= SSL_CAMELLIA256;
|
||||
+ } else if (!strcmp(cipher, "CAMELLIA")) {
|
||||
+ mask |= SSL_CAMELLIA;
|
||||
+ } else if (!strcmp(cipher, "SEED")) {
|
||||
+ mask |= SSL_SEED;
|
||||
+ } else if (!strcmp(cipher, "ECDH")) {
|
||||
+ mask |= SSL_kECDH;
|
||||
+ } else if (!strcmp(cipher, "ECDHE")) {
|
||||
+ mask |= SSL_kECDHE;
|
||||
+ } else if (!strcmp(cipher, "ECDSA")) {
|
||||
+ mask |= SSL_aECDSA;
|
||||
} else if (!strcmp(cipher, "SSLv2")) {
|
||||
protocol |= SSL2;
|
||||
} else if (!strcmp(cipher, "SSLv3")) {
|
||||
--
|
||||
1.7.11.4
|
||||
|
@ -5,19 +5,18 @@ Backported-by: Jan Synacek <jsynacek@redhat.com>
|
||||
Upstream ITS: #7979
|
||||
Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
|
||||
|
||||
--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200
|
||||
+++ openldap-2.4.40/include/ldap.h 2015-01-27 14:52:42.741364186 +0100
|
||||
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
|
||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
|
||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
|
||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
|
||||
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
|
||||
--- openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:02:39.489493061 +0100
|
||||
+++ openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:23:07.239463097 +0100
|
||||
@@ -790,7 +790,7 @@ tlsm_bad_cert_handler(void *arg, PRFileD
|
||||
case SSL_ERROR_BAD_CERT_DOMAIN:
|
||||
break;
|
||||
default:
|
||||
- success = SECFailure;
|
||||
+ success = SECFailure;
|
||||
break;
|
||||
}
|
||||
|
||||
/* OpenLDAP SASL options */
|
||||
#define LDAP_OPT_X_SASL_MECH 0x6100
|
||||
--- openldap-2.4.40/libraries/libldap/tls_m.c 2014-09-19 03:48:49.000000000 +0200
|
||||
+++ openldap-2.4.40/libraries/libldap/tls_m.c 2015-01-27 14:57:25.702243542 +0100
|
||||
@@ -1639,6 +1639,8 @@ tlsm_deferred_init( void *arg )
|
||||
@@ -1729,6 +1729,8 @@ tlsm_deferred_init( void *arg )
|
||||
NSSInitContext *initctx = NULL;
|
||||
PK11SlotInfo *certdb_slot = NULL;
|
||||
#endif
|
||||
@ -26,8 +25,8 @@ Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
|
||||
SECStatus rc;
|
||||
int done = 0;
|
||||
|
||||
@@ -1823,7 +1825,17 @@ tlsm_deferred_init( void *arg )
|
||||
ctx->tc_using_pem = PR_TRUE;
|
||||
@@ -1911,6 +1913,16 @@ tlsm_deferred_init( void *arg )
|
||||
}
|
||||
}
|
||||
|
||||
+ /*
|
||||
@ -40,7 +39,16 @@ Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
|
||||
+ variant = ssl_variant_stream;
|
||||
+ SSL_VersionRangeSetDefault(variant, &range);
|
||||
+
|
||||
NSS_SetDomesticPolicy();
|
||||
NSS_SetDomesticPolicy();
|
||||
|
||||
PK11_SetPasswordFunc( tlsm_pin_prompt );
|
||||
--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200
|
||||
+++ openldap-2.4.40/include/ldap.h 2014-11-14 09:25:54.560801030 +0100
|
||||
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
|
||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
|
||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
|
||||
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
|
||||
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
|
||||
|
||||
/* OpenLDAP SASL options */
|
||||
#define LDAP_OPT_X_SASL_MECH 0x6100
|
||||
|
@ -5,7 +5,7 @@
|
||||
|
||||
Name: openldap
|
||||
Version: 2.4.40
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
Summary: LDAP support libraries
|
||||
Group: System Environment/Daemons
|
||||
License: OpenLDAP
|
||||
@ -26,6 +26,13 @@ Patch2: openldap-reentrant-gethostby.patch
|
||||
Patch3: openldap-smbk5pwd-overlay.patch
|
||||
Patch4: openldap-man-sasl-nocanon.patch
|
||||
Patch5: openldap-ai-addrconfig.patch
|
||||
# nss patches, unlikely to ever get upstreamed
|
||||
Patch11: openldap-nss-update-list-of-ciphers.patch
|
||||
Patch12: openldap-tls-no-reuse-of-tls_session.patch
|
||||
Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch
|
||||
Patch14: openldap-nss-ignore-certdb-type-prefix.patch
|
||||
Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch
|
||||
Patch16: openldap-nss-pk11-freeslot.patch
|
||||
|
||||
# fix back_perl problems with lt_dlopen()
|
||||
# might cause crashes because of symbol collisions
|
||||
@ -43,13 +50,16 @@ Patch22: openldap-require-non-empty-attributelist.patch
|
||||
Patch90: check-password-makefile.patch
|
||||
Patch91: check-password.patch
|
||||
|
||||
# Fedora specific patches
|
||||
Patch100: openldap-autoconf-pkgconfig-nss.patch
|
||||
# GCC 5 cpp patch, pending upstream inclusion (ITS #8056)
|
||||
Patch100: openldap-gcc-5.patch
|
||||
Patch101: openldap-gcc-5.patch
|
||||
|
||||
BuildRequires: cyrus-sasl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
|
||||
BuildRequires: cyrus-sasl-devel, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
|
||||
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed)
|
||||
# smbk5pwd overlay:
|
||||
BuildRequires: openssl-devel
|
||||
Requires: nss-tools
|
||||
|
||||
%description
|
||||
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
|
||||
@ -115,8 +125,14 @@ programs needed for accessing and modifying OpenLDAP directories.
|
||||
|
||||
pushd openldap-%{version}
|
||||
|
||||
# use pkg-config for Mozilla NSS library
|
||||
%patch100 -p1
|
||||
|
||||
%patch101 -p1
|
||||
# alternative include paths for Mozilla NSS
|
||||
ln -s %{_includedir}/nss3 include/nss
|
||||
ln -s %{_includedir}/nspr4 include/nspr
|
||||
|
||||
AUTOMAKE=%{_bindir}/true autoreconf -fi
|
||||
|
||||
%patch0 -p1
|
||||
@ -125,6 +141,12 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
@ -194,6 +216,7 @@ pushd openldap-%{version}
|
||||
--without-fetch \
|
||||
--with-threads \
|
||||
--with-pic \
|
||||
--with-tls=moznss \
|
||||
--with-gnu-ld \
|
||||
\
|
||||
--libexecdir=%{_libdir}
|
||||
@ -514,6 +537,9 @@ exit 0
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Fri Feb 20 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-10
|
||||
- link against moznss again (#1187742)
|
||||
|
||||
* Wed Feb 11 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
|
||||
- fix: Unknown Berkeley DB major version in db.h (#1191098)
|
||||
|
||||
|
@ -9,9 +9,9 @@ cn: config
|
||||
#
|
||||
# TLS settings
|
||||
#
|
||||
#olcTLSCACertificatePath: /etc/openldap/certs/cacert.pem
|
||||
#olcTLSCertificateFile: /etc/openldap/certs/servercert.pem
|
||||
#olcTLSCertificateKeyFile: /etc/openldap/certs/serverkey.pem
|
||||
olcTLSCACertificatePath: /etc/openldap/certs
|
||||
olcTLSCertificateFile: "OpenLDAP Server"
|
||||
olcTLSCertificateKeyFile: /etc/openldap/certs/password
|
||||
|
||||
#
|
||||
# Do not enable referrals until AFTER you have a working directory
|
||||
|
Loading…
Reference in New Issue
Block a user