From 2a0c2c9740196c703d9f294f9f726fa19c8a8941 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Wed, 29 Oct 2014 13:54:56 -0400 Subject: [PATCH] Ticket 47929 - Admin Server - disable SSLv3 by default Bug Description: SSLv3 is no longer safe to use. Fix Description: Set the NSS protocol to TLSv1.1 by default, and also properly set the SSL min/max version range(which can also be customized in adm.conf). Also made sure the new range is properly set and initialized. https://fedorahosted.org/389/ticket/47929 Reviewed by: ? --- admserv/cfgstuff/console.conf.in | 2 +- mod_admserv/mod_admserv.c | 27 +++++++++++++++------------ 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/admserv/cfgstuff/console.conf.in b/admserv/cfgstuff/console.conf.in index 5f22439..0b7f106 100644 --- a/admserv/cfgstuff/console.conf.in +++ b/admserv/cfgstuff/console.conf.in @@ -108,7 +108,7 @@ NSSCertificateDatabase @securitydir@ # SSL 3 ciphers. SSL 2 is disabled by default. NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha -NSSProtocol SSLv3,TLSv1 +NSSProtocol TLSv1.1 # Client Authentication (Type): # Client certificate verification type. Types are none, optional and diff --git a/mod_admserv/mod_admserv.c b/mod_admserv/mod_admserv.c index 3fc19ff..2ffc1fb 100644 --- a/mod_admserv/mod_admserv.c +++ b/mod_admserv/mod_admserv.c @@ -145,9 +145,11 @@ module AP_MODULE_DECLARE_DATA admserv_module; static int sync_task_sie_data(const char *name, char *query, void *arg, request_rec *r); static int change_sie_password(const char *name, char *query, void* arg, request_rec *r); static int create_auth_users_cache_entry(char *user, char *userDN, const char *userPW, char *ldapURL); - +static int sslinit(AdmldapInfo info, const char *configdir); static int admserv_check_user_id(request_rec *r); +static int NSS_inited = 0; + /* per-process config structure */ typedef struct { int nInitCount; @@ -513,6 +515,13 @@ openLDAPConnection(LdapServerData *data) { LDAP *server; + if(data->secure && !NSS_inited){ + AdmldapInfo info; + int error = 0; + + info = admldapBuildInfo(configdir, &error); + sslinit(info, configdir); + } if (!(server = util_ldap_init(data->securitydir, NULL, data->host, data->port, data->secure, 1, NULL))) { ap_log_error(APLOG_MARK, APLOG_CRIT, 0 /* status */, NULL, @@ -779,23 +788,17 @@ extractLdapServerData(LdapServerData *data, char *ldapURL, const server_rec *s) static int sslinit(AdmldapInfo info, const char *configdir) { - if (!NSS_IsInitialized()) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0 /* status */, NULL, - "sslinit: doing NSS initialization"); - /* mod_nss is used when we are a TLS/SSL server - mod_nss starts up before we do - and will set up all of the TLS/SSL stuff */ - /* if we are acting as simply a TLS/SSL client to the directory server, - we still have to perform our own TLS/SSL client init */ + if(!NSS_inited){ if (ADMSSL_Init(info, (char *)configdir, 0)) { ap_log_error(APLOG_MARK, APLOG_CRIT, 0 /* status */, NULL, - "sslinit: NSS is required to use LDAPS, but security initialization failed [%d:%s]. Cannot start server", + "sslinit: NSS is required to use LDAPS, but security initialization failed [%d:%s].", PR_GetError(), SSL_Strerror(PR_GetError())); exit(1); } - } else { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0 /* status */, NULL, - "sslinit: mod_nss has been started and initialized"); + NSS_inited = 1; } + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0 /* status */, NULL, + "sslinit: mod_nss has been started and initialized"); return 1; } -- 1.9.3