389-ds-base

Clone
Source Code
GIT

#49726 DS only accepts RSA and Fortezza cipher families
Closed: wontfix 5 years ago Opened 5 years ago by mreynolds.

Closed: wontfix
Reopen Issue

Issue Description

Currently DS only accepts fortezza and RSA cipher families. This prevents things like ECC certificates from being used.

@rcritten found the issue in ssl.c, and pointed out that nunc-stans tls code was already doing the right thing, but not the core server code.

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 36b09fd..41b5467 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1964,7 +1964,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
                 }

                 if (SECSuccess == rv) {
-
+                    SSLKEAType certKEA;
 #ifdef HAVE_NSS_DHE
                     /* Step If we want weak dh params, flag it on the socket now! */

@@ -1981,12 +1981,10 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
                         }
                     }
 #endif
+                    certKEA = NSS_FindCertKEAType(cert);
+                    rv = SSL_ConfigSecureServer(*fd, cert, key, certKEA);

-                    if (slapd_pk11_fortezzaHasKEA(cert) == PR_TRUE) {
-                        rv = SSL_ConfigSecureServer(*fd, cert, key, kt_fortezza);
-                    } else {
-                        rv = SSL_ConfigSecureServer(*fd, cert, key, kt_rsa);
-                    }

Metadata Update from @mreynolds:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to review
- Custom field type adjusted to None
- Custom field version adjusted to None
5 years ago

commit 27a16a0

9f347e8..5aed2f4 389-ds-base-1.3.8 -> 389-ds-base-1.3.8

7a334ca..e0e739d 389-ds-base-1.3.7 -> 389-ds-base-1.3.7

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
5 years ago

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1582747
5 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2785

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
review
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.