stap-server ssl: enable all cipher suites manually

On some versions of NSS, NSS_SetDomesticPolicy doesn't work right,
so let's use lower-level functions with the appropriate (zero)
level of return-code checking.

diff --git a/csclient.cxx b/csclient.cxx
index dc09d66951dc837d146a0a4b8e696d756c309184..cce5428e7ccb7c0132e6cc6b0dcfd8b24113bfa1 100644 (file)
--- a/csclient.cxx
+++ b/csclient.cxx
@@ -1264,15 +1264,13 @@ compile_server_client::compile_using_server (
 
       // Enable all cipher suites.
       // SSL_ClearSessionCache is required for the new settings to take effect.
-      secStatus = NSS_SetDomesticPolicy ();
+      /* Some NSS versions don't do this correctly in NSS_SetDomesticPolicy. */
+      do {
+        const PRUint16 *cipher;
+        for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher)
+          SSL_CipherPolicySet(*cipher, SSL_ALLOWED);
+      } while (0);
       SSL_ClearSessionCache ();
-      if (secStatus != SECSuccess)
-       {
-         clog << _("Unable to set NSS export policy");
-         nssError ();
-         nssCleanup (cert_dir);
-         continue; // try next database
-       }
   
       server_zipfile = s.tmpdir + "/server.zip";
 
@@ -1707,14 +1705,13 @@ add_server_trust (
 
   // Enable all cipher suites.
   // SSL_ClearSessionCache is required for the new settings to take effect.
-  secStatus = NSS_SetDomesticPolicy ();
+  /* Some NSS versions don't do this correctly in NSS_SetDomesticPolicy. */
+  do {
+    const PRUint16 *cipher;
+    for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher)
+      SSL_CipherPolicySet(*cipher, SSL_ALLOWED);
+  } while (0);
   SSL_ClearSessionCache ();
-  if (secStatus != SECSuccess)
-    {
-      clog << _("Unable to set NSS export policy");
-      nssError ();
-      goto cleanup;
-    }
   
   // Iterate over the servers to become trusted. Contact each one and
   // add it to the list of trusted servers if it is not already trusted.

diff --git a/stap-serverd.cxx b/stap-serverd.cxx
index 27521230322b12ec45969c688715219bc0042e07..53a8d3a86d10f5b3a3370480d216f252e5ab0a89 100644 (file)
--- a/stap-serverd.cxx
+++ b/stap-serverd.cxx
@@ -1741,14 +1741,13 @@ server_main (PRFileDesc *listenSocket)
   // We need to be able to shut down NSS cleanly if we are to generate a new certificate when
   // ours expires. It should be noted however, thet SSL_ClearSessionCache only clears the
   // client cache, and we are a server.
-  secStatus = NSS_SetDomesticPolicy ();
+  /* Some NSS versions don't do this correctly in NSS_SetDomesticPolicy. */
+  do {
+    const PRUint16 *cipher;
+    for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher)
+      SSL_CipherPolicySet(*cipher, SSL_ALLOWED);
+  } while (0);
   //      SSL_ClearSessionCache ();
-  if (secStatus != SECSuccess)
-    {
-      server_error (_("Unable to set NSS export policy"));
-      nssError ();
-      goto done;
-    }
 
   // Configure the SSL session cache for a single process server with the default settings.
   secStatus = SSL_ConfigServerSessionIDCache (0, 0, 0, NULL);