Ticket #47928 - Disable SSL v3, by default.
Description:
Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
In dn: cn=encryption,cn=config,
0) Setting no SSL version attrs (using defaults); supported max is TLS1.2
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2
sslVersionMin: TLS1.0
sslVersionMax: TLS1.3
nsSSL3: off
nsTLS1: on
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
2) Setting new SSL version attrs; supported max is TLS1.2
sslVersionMin: TLS1.0
sslVersionMax: TLS1.3
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
3) Setting old/new SSL version attrs; conflict (new min is stricter); supported max is TLS1.2
nsSSL3: on
sslVersionMin: TLS1.0
==>
SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to dis
able nsSSL3 in cn=encryption,cn=config.
SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1
are on. Respect the supported range.
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
4) Setting old/new SSL version attrs; conflict (old min is stricter); supported max is TLS1.2
nsSSL3: off
sslVersionMin: SSL3
sslVersionMax: SSL3
==>
SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring
the version range as default min: TLS1.0, max: TLS1.2.
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
5) Setting old/new SSL version attrs; no conflict; setting SSL3
nsSSL3: on
nsTLS1: off
sslVersionMin: SSL3
sslVersionMax: SSL3
==>
SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable
nsSSL3 in cn=encryption,cn=config.
SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly recommend
to set sslVersionMin higher than TLS1.0.
SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3
https://fedorahosted.org/389/ticket/47928
Reviewed by mreynolds@redhat.com (Thank you, Mark!!)