From 7ba0631c7167af064114316ae4019ef531aacce3 Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Dec 18 2007 19:55:23 +0000 Subject: Resolves: bug 426056 Bug Description: Unable to connect to admin express via SSL - firefox cipher issues? Reviewed by: nkinder, nhosoi (Thanks!) Fix Description: The admin server was defaulting to EXPORT instead of DOMESTIC so was not enabling the domestic ciphers by default. Then when the admin server SSL was configured, it would give it a list of old ciphers not currently supported by Firefox. Also, we are still being affected by Bug 151705 Processed: AS 6.2 Console cipher preferences bug, so when the list of ciphers pops up, you have to make sure all of the SSLv2 ciphers are disabled and the SSLv3 and TLS ciphers you want to use are enabled. I also discovered a problem with the ugdsconfig CGI program - it was being caught by the admldapBuildInfoSSL problem where it tries to use the SIEDN to bind. So I had to use the same hack used in mod_admserv and elsewhere to force it to use the correct bind dn and password. Finally, I updated the list of ciphers in console.conf to reflect the full list of ciphers supported by mod_nss. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no --- diff --git a/admserv/cfgstuff/console.conf.in b/admserv/cfgstuff/console.conf.in index 9f9ab42..a657b24 100644 --- a/admserv/cfgstuff/console.conf.in +++ b/admserv/cfgstuff/console.conf.in @@ -95,7 +95,8 @@ NSSCertificateDatabase @securitydir@ # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_nss documentation for a complete list. -NSSCipherSuite -des,-rc2export,+rc4export,+desede3,+rc4,-rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5 +# SSL 3 ciphers. SSL 2 is disabled by default. +NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol SSLv3,TLSv1 diff --git a/admserv/cgi-src40/ugdsconfig.c b/admserv/cgi-src40/ugdsconfig.c index a6b0e98..ed3fcd9 100644 --- a/admserv/cgi-src40/ugdsconfig.c +++ b/admserv/cgi-src40/ugdsconfig.c @@ -230,20 +230,15 @@ int main(int argc, char *argv[]) return 0; } - -/* - * Return current U/G directory setting - */ -static void handle_getconfig(const char *configdir, const char *securitydir) +static AdmldapInfo +local_get_admldapinfo(const char *configdir, const char *securitydir) { - char *inforef=NULL, *globaldirurl=NULL, *dirurl=NULL, *binddn=NULL, *bindpw=NULL; AdmldapInfo adminfo; int rc; - logMsg("In handle_getconfig\n"); - if(ADMSSL_InitSimple((char *)configdir, (char *)securitydir, 0)) { - rpt_err(SYSTEM_ERROR, i18nMsg(DBT_ADMSSL_INIT_FAILED,"Cannot initialize SSL"), NULL, NULL); + rpt_err(SYSTEM_ERROR, i18nMsg(DBT_ADMSSL_INIT_FAILED,"Cannot initialize SSL"), NULL, NULL); + return NULL; } adminfo = admldapBuildInfo((char *)configdir, &rc); @@ -251,14 +246,57 @@ static void handle_getconfig(const char *configdir, const char *securitydir) logMsg("admldapBuildInfo failed, rc=%d, admroot=%s\n", rc, nonull_value((char *)configdir)); PR_snprintf(error_info, sizeof(error_info), i18nMsg(DBT_BUILD_LDAPINFO,"Failed to build ldap info (err=%d)"), rc); rpt_err(SYSTEM_ERROR, error_info, NULL, NULL); + return NULL; } if (admldapGetSecurity(adminfo)) { - if (!admldapBuildInfoSSL(adminfo, &rc)) { - logMsg("admldapBuildInfo failed, rc=%d, admroot=%s\n", rc, nonull_value((char *)configdir)); - PR_snprintf(error_info, sizeof(error_info), i18nMsg(DBT_BUILD_LDAPINFO,"Failed to build ldap info (err=%d)"), rc); + /* Temporarily override the siedn. This needs to be + * done to get a valid LDAP handle. + */ + char *siedn = NULL; + char *userdn = NULL; + char *siePasswd = NULL; + + /* returned value from ADM_Get... should NOT be freed */ + ADM_GetCurrentPassword(&rc, &siePasswd); /* via PIPE */ + /* if userdn is initialized, override the siedn to make bind succeed */ + ADM_GetUserDNString(&rc, &userdn); + if (strcasecmp(userdn, ADM_NOT_INITIALIZED)) { + siedn = admldapGetSIEDN(adminfo); + admldapSetSIEDN(adminfo, userdn); + admSetCachedSIEPWD(siePasswd); + } + + if (!admldapBuildInfoSSL(adminfo, &rc)) { + logMsg("admldapBuildInfo failed, rc=%d, admroot=%s\n", rc, nonull_value((char *)configdir)); + PR_snprintf(error_info, sizeof(error_info), i18nMsg(DBT_BUILD_LDAPINFO,"Failed to build ldap info (err=%d)"), rc); rpt_err(SYSTEM_ERROR, error_info, NULL, NULL); + return NULL; } + + /* reset if we changed it */ + if (siedn) { + admldapSetSIEDN(adminfo, siedn); + PL_strfree(siedn); + } + } + + return adminfo; +} + +/* + * Return current U/G directory setting + */ +static void handle_getconfig(const char *configdir, const char *securitydir) +{ + char *inforef=NULL, *globaldirurl=NULL, *dirurl=NULL, *binddn=NULL, *bindpw=NULL; + AdmldapInfo adminfo; + int rc; + + logMsg("In handle_getconfig\n"); + + if (!(adminfo = local_get_admldapinfo(configdir, securitydir))) { + return; } if (!admldapGetDomainUserDirectory(adminfo, &globaldirurl, &binddn, &bindpw, &inforef, &rc)) { @@ -305,8 +343,8 @@ static void handle_setconfig(const char *configdir, const char *securitydir) { logMsg("In handle_setconfig\n"); - if(ADMSSL_InitSimple((char *)configdir, (char *)securitydir, 0)) { - rpt_err(SYSTEM_ERROR, i18nMsg(DBT_ADMSSL_INIT_FAILED,"Cannot initialize SSL"), NULL, NULL); + if (!(adminfo = local_get_admldapinfo(configdir, securitydir))) { + return; } inforef = get_cgi_var( "ugdsconfig.inforef", NULL, NULL ); @@ -319,22 +357,6 @@ static void handle_setconfig(const char *configdir, const char *securitydir) { logMsg("binddn=%s\n", nonull_value(binddn)); logMsg("bindpw size=%d\n", strlen(nonull_value(bindpw))); - - adminfo = admldapBuildInfo((char *)configdir, &rc); - if (adminfo == NULL) { - logMsg("admldapBuildInfo failed, rc=%d, admroot=%s\n", rc, nonull_value((char *)configdir)); - PR_snprintf(error_info, sizeof(error_info), i18nMsg(DBT_BUILD_LDAPINFO,"Failed to build ldap info (err=%d)"), rc); - rpt_err(SYSTEM_ERROR, error_info, NULL, NULL); - } - - if (admldapGetSecurity(adminfo)) { - if (!admldapBuildInfoSSL(adminfo, &rc)) { - logMsg("admldapBuildInfo failed, rc=%d, admroot=%s\n", rc, nonull_value((char *)configdir)); - PR_snprintf(error_info, sizeof(error_info), i18nMsg(DBT_BUILD_LDAPINFO,"Failed to build ldap info (err=%d)"), rc); - rpt_err(SYSTEM_ERROR, error_info, NULL, NULL); - } - } - if (inforef != NULL) { if (strcasecmp(inforef,"default")==0) { siedn = admldapGetSIEDN(adminfo); diff --git a/config.h.in b/config.h.in index 3477d5f..92a99f7 100644 --- a/config.h.in +++ b/config.h.in @@ -248,6 +248,9 @@ /* Define to 1 if your C compiler doesn't accept -c and -o together. */ #undef NO_MINUS_C_MINUS_O +/* Domestic security level enabled by default */ +#undef NS_DOMESTIC + /* OS version */ #undef OSVERSION diff --git a/configure b/configure index 7bd8d59..5dee261 100755 --- a/configure +++ b/configure @@ -23030,6 +23030,12 @@ echo "$as_me: error: Can't set both --with-fhs and --with-fhs-opt. Please only fi + +cat >>confdefs.h <<\_ACEOF +#define NS_DOMESTIC 1 +_ACEOF + + # server userid, groupid httpduser=nobody httpdgroup=nobody diff --git a/configure.ac b/configure.ac index 9cad90c..0f2b149 100644 --- a/configure.ac +++ b/configure.ac @@ -102,6 +102,8 @@ AC_ARG_ENABLE(rpath, AS_HELP_STRING([--enable-rpath], [Allow libtool to add an r m4_include(m4/fhs.m4) +AC_DEFINE([NS_DOMESTIC], [1], [Domestic security level enabled by default]) + # server userid, groupid httpduser=nobody httpdgroup=nobody