#47928 Disable SSL v3, by default.
Closed: wontfix None Opened 5 years ago by nhosoi.

On the new installation, SSL v3 should be disabled by default, and provide the safe cipher suites.


git patch file (master) -- CI test: added test cases for ticket 47928
0002-Ticket-47928-CI-test-added-test-cases-for-ticket-479.patch

Reviewed by Rich (Thank you!!)

Pushed to master:
be67f81..958be12 master -> master
commit c1ecd8b
commit 958be12

Pushed to 389-ds-base-1.3.3:
96d7459..b7b4981 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 524d127
commit b7b4981

We have to decide what to do to 1.3.2 and 1.2.11.

Reviewed by Rich (Thank you!!)

Pushed to master:
3cdf0eb..77989d3 master -> master
commit 77989d3

Pushed to 389-ds-base-1.3.3:
738d985..29a4160 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 29a4160

Note: still open for 1.3.2 and 1.2.11.

I vote for these to backported to 1.2.11. poodlebleed also affects tls1.0 (basically the same thing as SSL3), and in 1.3.2/1.2.11 there is no way to tell DS to use tls1.1 and up, only "nsTLS: on" - which allows tls1.0 (bad).

git patch file (master) -- Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
0001-Ticket-47928-Disable-SSL-v3-by-default.3.patch

Description:
Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
In dn: cn=encryption,cn=config,
0) Setting no SSL version attrs (using defaults); supported max is TLS1.2
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2

1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2
sslVersionMin: TLS1.0
sslVersionMax: TLS1.3
nsSSL3: off
nsTLS1: on
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
2) Setting new SSL version attrs; supported max is TLS1.2
sslVersionMin: TLS1.0
sslVersionMax: TLS1.3
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2

3) Setting old/new SSL version attrs; conflict (new min is stricter); supported max is TLS1.2
nsSSL3: on
sslVersionMin: TLS1.0
==>
SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to dis
able nsSSL3 in cn=encryption,cn=config.
SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1
are on. Respect the supported range.
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2

4) Setting old/new SSL version attrs; conflict (old min is stricter); supported max is TLS1.2
nsSSL3: off
sslVersionMin: SSL3
sslVersionMax: SSL3
==>
SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring
the version range as default min: TLS1.0, max: TLS1.2.
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2

5) Setting old/new SSL version attrs; no conflict; setting SSL3
nsSSL3: on
nsTLS1: off
sslVersionMin: SSL3
sslVersionMax: SSL3
==>
SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable
nsSSL3 in cn=encryption,cn=config.
SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly recommend
to set sslVersionMin higher than TLS1.0.
SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3

Reviewed by Mark (Thank you!!)

Pushed to master:
6b4ade8..ad7885e master -> master
commit ad7885e

Pushed to 389-ds-base-1.3.3:
6a435f1..3e7321b 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 3e7321b

git patch file (1.2.11 only) -- back-ported the support for the internal ssl version range
0001-Ticket-47928-Disable-SSL-v3-by-default-389-ds-base-1.patch

Since it's a back-porting, consider it's already acked.

Pushed to 389-ds-base-1.2.11:
099d1ce..8550aaf 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 17fc03c

Pushed to 389-ds-base-1.3.1:
d1b5c7a..d4d34b2 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit d4d34b245905886742f18d63da83c4edddf973ea

Pushed to 389-ds-base-1.3.2:
a31bd5c..f7ae1e8 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
commit f7ae1e8

git patch file (1.2.11 branch) -- additional fix for "TLS1 can't be turned off"
0001-Ticket-47928-Disable-SSL-v3-by-default-389-ds-base-1.2.patch

Thank you for the review, Rich!

Pushed to 389-ds-base-1.2.11:
88ecf0c..37d5696 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit f0d0930

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.2.11.33

3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1259

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

7 days ago

Login to comment on this ticket.

Metadata