Ticket #48816 - (1.2.11 only) add a nsTLS1.0 on or off new configuration parameter to cn=encryption,cn=config in RHEL 6 389-ds-base
Description: 389-ds-base-1.2.11 has no way to disable TLS1.0. This patch is
adding config params nsTLS10, nsTLS11 and nsTLS12 to cn=encryption,cn=config
so that the definition of nsTLS1 remains intact if the new parameters are not
specified explicitely. If nsTLS10, nsTLS11 or nsTLS12 appear in the config
entry, nsTLS1 is ignored and the new parameters are added.
Default values:
nsTLS1: on
nsTLS10,nsTLS11,nsTLS12: ignored
Examples:
cn=encryption,cn=config
[no SSL version settings]
==> sslVersionMin: TLS1.0
cn=encryption,cn=config
nsTLS1: on
==> sslVersionMin: TLS1.0
cn=encryption,cn=config
nsTLS1: on | off
nsTLS10: on
==> sslVersionMin: TLS1.0
==> Note: nsTLS1 is ignored.
cn=encryption,cn=config
nsTLS11: on
==> sslVersionMin: TLS1.1
cn=encryption,cn=config
nsTLS12: on
==> sslVersionMin: TLS1.2
Special cases:
If all SSL version config parameters are off, SSL fails to configure.
cn=encryption,cn=config
nsTLS10: off
nsTLS11: off
nsTLS12: off
nsTLS1: off
==> SSL configuration fails.
==> Note: nsSSL3 is off by default.
cn=encryption,cn=config
nsTLS10: on
nsTLS12: off
==> sslVersionMin: TLS1.0
==> Note: nsTLS12 is ignored.
Even if off is set to the higher SSL version as in this example,
it is not used as sslVersionMax, but it is ignored.
https://fedorahosted.org/389/ticket/48816
Thanks so much for the ideas, comments and discussions, William, Ludwig, and Mark!!
Final review was made by wibrown@redhat.com (Thank you, William!!)