On the new installation, SSL v3 should be disabled by default, and provide the safe cipher suites.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1153737
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1153739
git patch file (master) 0001-Ticket-47928-Disable-SSL-v3-by-default.patch
git patch file (master) -- CI test: added test cases for ticket 47928 0002-Ticket-47928-CI-test-added-test-cases-for-ticket-479.patch
Reviewed by Rich (Thank you!!)
Pushed to master: be67f81..958be12 master -> master commit c1ecd8b commit 958be12
Pushed to 389-ds-base-1.3.3: 96d7459..b7b4981 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 524d127 commit b7b4981
We have to decide what to do to 1.3.2 and 1.2.11.
coverity fix for defect: 12783 - Logically dead code 0001-Ticket-47928-Disable-SSL-v3-by-default.2.patch
Pushed to master: 3cdf0eb..77989d3 master -> master commit 77989d3
Pushed to 389-ds-base-1.3.3: 738d985..29a4160 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 29a4160
Note: still open for 1.3.2 and 1.2.11.
I vote for these to backported to 1.2.11. poodlebleed also affects tls1.0 (basically the same thing as SSL3), and in 1.3.2/1.2.11 there is no way to tell DS to use tls1.1 and up, only "nsTLS: on" - which allows tls1.0 (bad).
git patch file (master) -- Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0. 0001-Ticket-47928-Disable-SSL-v3-by-default.3.patch
Description: Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0. In dn: cn=encryption,cn=config, 0) Setting no SSL version attrs (using defaults); supported max is TLS1.2 ==> SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2 sslVersionMin: TLS1.0 sslVersionMax: TLS1.3 nsSSL3: off nsTLS1: on ==> SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 2) Setting new SSL version attrs; supported max is TLS1.2 sslVersionMin: TLS1.0 sslVersionMax: TLS1.3 ==> SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
3) Setting old/new SSL version attrs; conflict (new min is stricter); supported max is TLS1.2 nsSSL3: on sslVersionMin: TLS1.0 ==> SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to dis able nsSSL3 in cn=encryption,cn=config. SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1 are on. Respect the supported range. SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
4) Setting old/new SSL version attrs; conflict (old min is stricter); supported max is TLS1.2 nsSSL3: off sslVersionMin: SSL3 sslVersionMax: SSL3 ==> SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2. SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
5) Setting old/new SSL version attrs; no conflict; setting SSL3 nsSSL3: on nsTLS1: off sslVersionMin: SSL3 sslVersionMax: SSL3 ==> SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable nsSSL3 in cn=encryption,cn=config. SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly recommend to set sslVersionMin higher than TLS1.0. SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3
Reviewed by Mark (Thank you!!)
Pushed to master: 6b4ade8..ad7885e master -> master commit ad7885e
Pushed to 389-ds-base-1.3.3: 6a435f1..3e7321b 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 3e7321b
git patch file (1.2.11 only) -- back-ported the support for the internal ssl version range 0001-Ticket-47928-Disable-SSL-v3-by-default-389-ds-base-1.patch
Since it's a back-porting, consider it's already acked.
Pushed to 389-ds-base-1.2.11: 099d1ce..8550aaf 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit 17fc03c
Pushed to 389-ds-base-1.3.1: d1b5c7a..d4d34b2 389-ds-base-1.3.1 -> 389-ds-base-1.3.1 commit d4d34b245905886742f18d63da83c4edddf973ea
Pushed to 389-ds-base-1.3.2: a31bd5c..f7ae1e8 389-ds-base-1.3.2 -> 389-ds-base-1.3.2 commit f7ae1e8
git patch file (1.2.11 branch) -- additional fix for "TLS1 can't be turned off" 0001-Ticket-47928-Disable-SSL-v3-by-default-389-ds-base-1.2.patch
Thank you for the review, Rich!
Pushed to 389-ds-base-1.2.11: 88ecf0c..37d5696 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit f0d0930
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.2.11.33
Login to comment on this ticket.