Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Ticket 47637 - rsa_null_sha should not be enabled by default

Bug Description:  rsa_null_sha is enabled by default, this can allow unencrypted
                  traffic over a TLS connection.

Fix Description:  Disable rsa_null_sha, just like rsa_null_md5, by default.

https://fedorahosted.org/389/ticket/47637

Reviewed by: rmeggins(Thanks!)
Mark Reynolds 11 years ago
parent
d4e13f59c1
commit
82b12c97af
1 changed files with 11 additions and 4 deletions
Split View Show Diff Stats
  1. 11 4
      ldap/servers/slapd/ssl.c

+ 11 - 4
ldap/servers/slapd/ssl.c
View File 

@@ -147,8 +147,8 @@ static cipherstruct _conf_ciphers[] = {
 
     {"SSL3","fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA}, /* ditto */
 
     {"SSL3","rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5},
 
     {"SSL3","rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5},
 
-    {"SSL3","rsa_null_md5", SSL_RSA_WITH_NULL_MD5},
 
-    {"SSL3","rsa_null_sha", SSL_RSA_WITH_NULL_SHA},
 
+    {"SSL3","rsa_null_md5", SSL_RSA_WITH_NULL_MD5}, /* disabled by default */
 
+    {"SSL3","rsa_null_sha", SSL_RSA_WITH_NULL_SHA}, /* disabled by default */
 
     {"TLS","tls_rsa_export1024_with_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},
 
     {"TLS","rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA}, /* ditto */
 
     {"TLS","tls_rsa_export1024_with_des_cbc_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA},
 
@@ -282,7 +282,9 @@ _conf_setallciphers(int active, char ***suplist, char ***unsuplist)
 
      *       them to activate it by name. */
 
     for(x = 0; _conf_ciphers[x].name; x++)  {
 
         PRBool enabled = active ? PR_TRUE : PR_FALSE;
 
-        if(active && !strcmp(_conf_ciphers[x].name, "rsa_null_md5"))  {
 
+        if(active && (!strcmp(_conf_ciphers[x].name, "rsa_null_md5") ||
 
+                      !strcmp(_conf_ciphers[x].name, "rsa_null_sha")))
 
+        {
 
             continue;
 
         }
 
         if (enabled) {
 
@@ -334,7 +336,12 @@ _conf_setciphers(char *ciphers)
 
         slapi_ch_free((void **)&suplist); /* strings inside are static */
 
         return NULL;
 
     }
 
-/* Enable all the ciphers by default and the following while loop would disable the user disabled ones This is needed becuase we added a new set of ciphers in the table . Right now there is no support for this from the console */	
+    /*
 
+     * Enable all the ciphers by default and the following while loop would
 
+     * disable the user disabled ones.  This is needed because we added a new
 
+     * set of ciphers in the table. Right now there is no support for this
 
+     * from the console
 
+     */
 
     _conf_setallciphers(1, &suplist, NULL);
 
 
     t = ciphers;