Bug 970727 - provide cipher string, error code support for apps that use NSS directly
provide cipher string, error code support for apps that use NSS directly
Status: NEW
Product: Fedora
Classification: Fedora
Component: nss_compat_ossl (Show other bugs)
23
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Orphan Owner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-04 13:31 EDT by Rich Megginson
Modified: 2015-12-14 03:24 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Rich Megginson 2013-06-04 13:31:26 EDT
Description of problem:
For example, openldap doesn't use the compat layer, it uses NSS directly.  This means it has to maintain its own openssl cipher string -> NSS integer cipher list mapping and a system error code to NSS/NSPR error code mapping.  It would be better if this could be provided by the nss_compat_ossl layer - it already has to do this, it just needs to expose this functionality to the public API.

For example, the openldap function tlsm_parse_ciphers() takes an openssl style cipher string, parses it, and calls SSL_CipherPrefSet() to configure the cipher suites.  It would be nice if this function could be provided by nss_compat_ossl e.g.

int
nss_compat_parse_ciphers(PRFileDesc *prfd, const char *ossl_cipher_str)
{
   /* parse ossl_cipher_str */
   /* call SSL_CipherPrefSet(prfd, NSS_cipher_int, enabled); for each cipher */
}

In addition, openldap has a function tlsm_map_error() that maps system error numbers to NSPR error numbers - would be nice to have that provided by a library.  There are NSPR functions like _MD_unix_map_default_error but these are not exposed to the public API.  This is useful when using NSS because the lib/app may be using NSS/NSPR for only the TLS/SSL part of socket communications, but not for the underlying system calls e.g. the app may be calling read()/send()/write()/recv() directly rather than going through NSPR.  When using NSPR I/O functions, the error codes are automatically mapped.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Fedora End Of Life 2013-09-16 10:05:43 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20
Comment 2 Jaroslav Reznik 2015-03-03 09:57:19 EST
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 3 Matthew Harmsen 2015-12-10 12:43:25 EST
As this component has been retired as of Fedora 23 which has already been released, I am moving this bug to Fedora 23 where it should be orphaned.

Note You need to log in before you can comment on or make changes to this bug.