#49726 DS only accepts RSA and Fortezza cipher families
Closed: fixed 2 years ago Opened 2 years ago by mreynolds.

Issue Description

Currently DS only accepts fortezza and RSA cipher families. This prevents things like ECC certificates from being used.

@rcritten found the issue in ssl.c, and pointed out that nunc-stans tls code was already doing the right thing, but not the core server code.

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 36b09fd..41b5467 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1964,7 +1964,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
                 }

                 if (SECSuccess == rv) {
-
+                    SSLKEAType certKEA;
 #ifdef HAVE_NSS_DHE
                     /* Step If we want weak dh params, flag it on the socket now! */

@@ -1981,12 +1981,10 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
                         }
                     }
 #endif
+                    certKEA = NSS_FindCertKEAType(cert);
+                    rv = SSL_ConfigSecureServer(*fd, cert, key, certKEA);

-                    if (slapd_pk11_fortezzaHasKEA(cert) == PR_TRUE) {
-                        rv = SSL_ConfigSecureServer(*fd, cert, key, kt_fortezza);
-                    } else {
-                        rv = SSL_ConfigSecureServer(*fd, cert, key, kt_rsa);
-                    }

Metadata Update from @mreynolds:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to review
- Custom field type adjusted to None
- Custom field version adjusted to None

2 years ago

commit 27a16a0

9f347e8..5aed2f4 389-ds-base-1.3.8 -> 389-ds-base-1.3.8

7a334ca..e0e739d 389-ds-base-1.3.7 -> 389-ds-base-1.3.7

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1582747

2 years ago

Login to comment on this ticket.

Metadata