|
|
@@ -473,18 +473,11 @@ slapd_nss_init(int init_ssl, int config_available)
|
|
|
return rv;
|
|
|
}
|
|
|
|
|
|
-/*
|
|
|
- * slapd_ssl_init() is called from main() if we plan to listen
|
|
|
- * on a secure port.
|
|
|
- */
|
|
|
-int
|
|
|
-slapd_ssl_init() {
|
|
|
+static int
|
|
|
+svrcore_setup()
|
|
|
+{
|
|
|
PRErrorCode errorCode;
|
|
|
- char ** family_list;
|
|
|
- char *val = NULL;
|
|
|
- char cipher_string[1024];
|
|
|
int rv = 0;
|
|
|
- PK11SlotInfo *slot;
|
|
|
#ifndef _WIN32
|
|
|
SVRCOREStdPinObj *StdPinObj;
|
|
|
#else
|
|
|
@@ -492,40 +485,11 @@ slapd_ssl_init() {
|
|
|
SVRCOREAltPinObj *AltPinObj;
|
|
|
SVRCORENTUserPinObj *NTUserPinObj;
|
|
|
#endif
|
|
|
- Slapi_Entry *entry = NULL;
|
|
|
-
|
|
|
- /* Get general information */
|
|
|
-
|
|
|
- getConfigEntry( configDN, &entry );
|
|
|
-
|
|
|
- val = slapi_entry_attr_get_charptr( entry, "nssslSessionTimeout" );
|
|
|
- ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" );
|
|
|
-
|
|
|
- /* We are currently using the value of sslSessionTimeout
|
|
|
- for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
|
|
|
- /* Note from Tom Weinstein on the meaning of the timeout:
|
|
|
-
|
|
|
- Timeouts are in seconds. '0' means use the default, which is
|
|
|
- 24hrs for SSL3 and 100 seconds for SSL2.
|
|
|
- */
|
|
|
-
|
|
|
- if(!val) {
|
|
|
- errorCode = PR_GetError();
|
|
|
- slapd_SSL_warn("Security Initialization: Failed to retrieve SSL "
|
|
|
- "configuration information ("
|
|
|
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
|
|
|
- "nssslSessionTimeout: %s ",
|
|
|
- errorCode, slapd_pr_strerror(errorCode),
|
|
|
- (val ? "found" : "not found"));
|
|
|
- slapi_ch_free((void **) &val);
|
|
|
- slapi_ch_free((void **) &ciphers);
|
|
|
- return -1;
|
|
|
- }
|
|
|
-
|
|
|
- stimeout = atoi(val);
|
|
|
- slapi_ch_free((void **) &val);
|
|
|
-
|
|
|
#ifndef _WIN32
|
|
|
+ StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj();
|
|
|
+ if (StdPinObj) {
|
|
|
+ return 0; /* already registered */
|
|
|
+ }
|
|
|
if ( SVRCORE_CreateStdPinObj(&StdPinObj, dongle_file_name, PR_TRUE) !=
|
|
|
SVRCORE_Success) {
|
|
|
errorCode = PR_GetError();
|
|
|
@@ -536,6 +500,10 @@ slapd_ssl_init() {
|
|
|
}
|
|
|
SVRCORE_RegisterPinObj((SVRCOREPinObj *)StdPinObj);
|
|
|
#else
|
|
|
+ AltPinObj = (SVRCOREAltPinObj *)SVRCORE_GetRegisteredPinObj();
|
|
|
+ if (AltPinObj) {
|
|
|
+ return 0; /* already registered */
|
|
|
+ }
|
|
|
if (SVRCORE_CreateFilePinObj(&FilePinObj, dongle_file_name) !=
|
|
|
SVRCORE_Success) {
|
|
|
errorCode = PR_GetError();
|
|
|
@@ -563,6 +531,58 @@ slapd_ssl_init() {
|
|
|
|
|
|
#endif /* _WIN32 */
|
|
|
|
|
|
+ return rv;
|
|
|
+}
|
|
|
+
|
|
|
+/*
|
|
|
+ * slapd_ssl_init() is called from main() if we plan to listen
|
|
|
+ * on a secure port.
|
|
|
+ */
|
|
|
+int
|
|
|
+slapd_ssl_init() {
|
|
|
+ PRErrorCode errorCode;
|
|
|
+ char ** family_list;
|
|
|
+ char *val = NULL;
|
|
|
+ char cipher_string[1024];
|
|
|
+ int rv = 0;
|
|
|
+ PK11SlotInfo *slot;
|
|
|
+ Slapi_Entry *entry = NULL;
|
|
|
+
|
|
|
+ /* Get general information */
|
|
|
+
|
|
|
+ getConfigEntry( configDN, &entry );
|
|
|
+
|
|
|
+ val = slapi_entry_attr_get_charptr( entry, "nssslSessionTimeout" );
|
|
|
+ ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" );
|
|
|
+
|
|
|
+ /* We are currently using the value of sslSessionTimeout
|
|
|
+ for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
|
|
|
+ /* Note from Tom Weinstein on the meaning of the timeout:
|
|
|
+
|
|
|
+ Timeouts are in seconds. '0' means use the default, which is
|
|
|
+ 24hrs for SSL3 and 100 seconds for SSL2.
|
|
|
+ */
|
|
|
+
|
|
|
+ if(!val) {
|
|
|
+ errorCode = PR_GetError();
|
|
|
+ slapd_SSL_warn("Security Initialization: Failed to retrieve SSL "
|
|
|
+ "configuration information ("
|
|
|
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
|
|
|
+ "nssslSessionTimeout: %s ",
|
|
|
+ errorCode, slapd_pr_strerror(errorCode),
|
|
|
+ (val ? "found" : "not found"));
|
|
|
+ slapi_ch_free((void **) &val);
|
|
|
+ slapi_ch_free((void **) &ciphers);
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+
|
|
|
+ stimeout = atoi(val);
|
|
|
+ slapi_ch_free((void **) &val);
|
|
|
+
|
|
|
+ if (svrcore_setup()) {
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+
|
|
|
if((family_list = getChildren(configDN))) {
|
|
|
char **family;
|
|
|
char *token;
|
|
|
@@ -687,6 +707,10 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
|
|
|
#ifndef _WIN32
|
|
|
SVRCOREStdPinObj *StdPinObj;
|
|
|
|
|
|
+ if (svrcore_setup()) {
|
|
|
+ return 1;
|
|
|
+ }
|
|
|
+
|
|
|
StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj();
|
|
|
SVRCORE_SetStdPinInteractive(StdPinObj, PR_FALSE);
|
|
|
#endif
|
|
|
@@ -1159,35 +1183,37 @@ slapd_SSL_client_auth (LDAP* ld)
|
|
|
|
|
|
/* Free config data */
|
|
|
|
|
|
+ if (!svrcore_setup()) {
|
|
|
#ifndef _WIN32
|
|
|
- StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj();
|
|
|
- err = SVRCORE_StdPinGetPin( &pw, StdPinObj, token );
|
|
|
+ StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj();
|
|
|
+ err = SVRCORE_StdPinGetPin( &pw, StdPinObj, token );
|
|
|
#else
|
|
|
- AltPinObj = (SVRCOREAltPinObj *)SVRCORE_GetRegisteredPinObj();
|
|
|
- pw = SVRCORE_GetPin( (SVRCOREPinObj *)AltPinObj, token, PR_FALSE);
|
|
|
+ AltPinObj = (SVRCOREAltPinObj *)SVRCORE_GetRegisteredPinObj();
|
|
|
+ pw = SVRCORE_GetPin( (SVRCOREPinObj *)AltPinObj, token, PR_FALSE);
|
|
|
#endif
|
|
|
- if ( err != SVRCORE_Success || pw == NULL) {
|
|
|
- errorCode = PR_GetError();
|
|
|
- slapd_SSL_warn("SSL client authentication cannot be used "
|
|
|
- "(no password). (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
|
|
- errorCode, slapd_pr_strerror(errorCode));
|
|
|
- } else {
|
|
|
- rc = ldapssl_enable_clientauth (ld, SERVER_KEY_NAME, pw, cert_name);
|
|
|
- if (rc != 0) {
|
|
|
+ if ( err != SVRCORE_Success || pw == NULL) {
|
|
|
errorCode = PR_GetError();
|
|
|
- slapd_SSL_warn("ldapssl_enable_clientauth(%s, %s) %i ("
|
|
|
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
|
|
- SERVER_KEY_NAME, cert_name, rc,
|
|
|
- errorCode, slapd_pr_strerror(errorCode));
|
|
|
+ slapd_SSL_warn("SSL client authentication cannot be used "
|
|
|
+ "(no password). (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
|
|
+ errorCode, slapd_pr_strerror(errorCode));
|
|
|
} else {
|
|
|
- /* We cannot allow NSS to cache outgoing client auth connections -
|
|
|
- each client auth connection must have it's own non-shared SSL
|
|
|
- connection to the peer so that it will go through the
|
|
|
- entire handshake protocol every time including the use of its
|
|
|
- own unique client cert - see bug 605457
|
|
|
- */
|
|
|
-
|
|
|
- ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE);
|
|
|
+ rc = ldapssl_enable_clientauth (ld, SERVER_KEY_NAME, pw, cert_name);
|
|
|
+ if (rc != 0) {
|
|
|
+ errorCode = PR_GetError();
|
|
|
+ slapd_SSL_warn("ldapssl_enable_clientauth(%s, %s) %i ("
|
|
|
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
|
|
+ SERVER_KEY_NAME, cert_name, rc,
|
|
|
+ errorCode, slapd_pr_strerror(errorCode));
|
|
|
+ } else {
|
|
|
+ /* We cannot allow NSS to cache outgoing client auth connections -
|
|
|
+ each client auth connection must have it's own non-shared SSL
|
|
|
+ connection to the peer so that it will go through the
|
|
|
+ entire handshake protocol every time including the use of its
|
|
|
+ own unique client cert - see bug 605457
|
|
|
+ */
|
|
|
+
|
|
|
+ ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE);
|
|
|
+ }
|
|
|
}
|
|
|
}
|
|
|
|
Rich Megginson