ITS#7979 MozNSS fix for TLS_PROTOCOL_MIN

Fix NSS code to check for TLS_PROCOTOL_MIN, and then set the SSL version range(min and max). Also updated SSL version string map table to support up to TLSv1.3
2025-01-30 13:30:57 +08:00 · 2014-11-13 09:49:19 -05:00 · 2014-11-13 09:49:19 -05:00 · 7a7d941943
commit 7a7d941943
parent 2a43a7d16f
1 changed files with 19 additions and 1 deletions
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@ -1641,6 +1641,8 @@ tlsm_deferred_init( void *arg )
 	NSSInitContext *initctx = NULL;
 	PK11SlotInfo *certdb_slot = NULL;
 #endif
+	SSLVersionRange range;
+	SSLProtocolVariant variant;
 	SECStatus rc;
 	int done = 0;

@ -1825,6 +1827,16 @@ tlsm_deferred_init( void *arg )
 			ctx->tc_using_pem = PR_TRUE;
 		}

+		/*
+		 * Set the SSL version range.  MozNSS SSL versions are the same as openldap's:
+		 *
+		 * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
+		 */
+		SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
+		range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
+		variant = ssl_variant_stream;
+		SSL_VersionRangeSetDefault(variant, &range);
+
 		NSS_SetDomesticPolicy();

 		PK11_SetPasswordFunc( tlsm_pin_prompt );
@ -2850,7 +2862,11 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
 	return 0;
 }

-/* Yet again, we're pasting in glue that MozNSS ought to provide itself. */
+/*
+ * Yet again, we're pasting in glue that MozNSS ought to provide itself.
+ *
+ * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
+ */
 static struct {
 	const char *name;
 	int num;
@ -2859,6 +2875,8 @@ static struct {
 	{ "SSLv3", SSL_LIBRARY_VERSION_3_0 },
 	{ "TLSv1", SSL_LIBRARY_VERSION_TLS_1_0 },
 	{ "TLSv1.1", SSL_LIBRARY_VERSION_TLS_1_1 },
+	{ "TLSv1.2", SSL_LIBRARY_VERSION_TLS_1_2 },
+	{ "TLSv1.3", SSL_LIBRARY_VERSION_TLS_1_3 },
 	{ NULL, 0 }
 };