Issue #47928: Disable SSL v3, by default. - 389-ds-base

389-ds-base

#47928 Disable SSL v3, by default.

Closed: Fixed None Opened 4 years ago by nhosoi.

On the new installation, SSL v3 should be disabled by default, and provide the safe cipher suites.

nhosoi commented 4 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1153737

nhosoi commented 4 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1153739

nhosoi commented 4 years ago

git patch file (master)
0001-Ticket-47928-Disable-SSL-v3-by-default.patch

nhosoi commented 4 years ago

git patch file (master) -- CI test: added test cases for ticket 47928
0002-Ticket-47928-CI-test-added-test-cases-for-ticket-479.patch

nhosoi commented 4 years ago

Reviewed by Rich (Thank you!!)

Pushed to master:
be67f81..958be12 master -> master
commit c1ecd8b
commit 958be12

Pushed to 389-ds-base-1.3.3:
96d7459..b7b4981 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 524d127
commit b7b4981

nhosoi commented 4 years ago

We have to decide what to do to 1.3.2 and 1.2.11.

nhosoi commented 4 years ago

coverity fix for defect: 12783 - Logically dead code
0001-Ticket-47928-Disable-SSL-v3-by-default.2.patch

nhosoi commented 4 years ago

Reviewed by Rich (Thank you!!)

Pushed to master:
3cdf0eb..77989d3 master -> master
commit 77989d3

Pushed to 389-ds-base-1.3.3:
738d985..29a4160 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 29a4160

nhosoi commented 4 years ago

Note: still open for 1.3.2 and 1.2.11.

mreynolds commented 4 years ago

I vote for these to backported to 1.2.11. poodlebleed also affects tls1.0 (basically the same thing as SSL3), and in 1.3.2/1.2.11 there is no way to tell DS to use tls1.1 and up, only "nsTLS: on" - which allows tls1.0 (bad).

nhosoi commented 4 years ago

git patch file (master) -- Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
0001-Ticket-47928-Disable-SSL-v3-by-default.3.patch

nhosoi commented 4 years ago

Description:
Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
In dn: cn=encryption,cn=config,
0) Setting no SSL version attrs (using defaults); supported max is TLS1.2
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2

1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2
sslVersionMin: TLS1.0
sslVersionMax: TLS1.3
nsSSL3: off
nsTLS1: on
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
2) Setting new SSL version attrs; supported max is TLS1.2
sslVersionMin: TLS1.0
sslVersionMax: TLS1.3
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2

3) Setting old/new SSL version attrs; conflict (new min is stricter); supported max is TLS1.2
nsSSL3: on
sslVersionMin: TLS1.0
==>
SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to dis
able nsSSL3 in cn=encryption,cn=config.
SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1
are on. Respect the supported range.
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2

4) Setting old/new SSL version attrs; conflict (old min is stricter); supported max is TLS1.2
nsSSL3: off
sslVersionMin: SSL3
sslVersionMax: SSL3
==>
SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring
the version range as default min: TLS1.0, max: TLS1.2.
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2

5) Setting old/new SSL version attrs; no conflict; setting SSL3
nsSSL3: on
nsTLS1: off
sslVersionMin: SSL3
sslVersionMax: SSL3
==>
SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable
nsSSL3 in cn=encryption,cn=config.
SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly recommend
to set sslVersionMin higher than TLS1.0.
SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3

nhosoi commented 4 years ago

Reviewed by Mark (Thank you!!)

Pushed to master:
6b4ade8..ad7885e master -> master
commit ad7885e

Pushed to 389-ds-base-1.3.3:
6a435f1..3e7321b 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 3e7321b

nhosoi commented 4 years ago

git patch file (1.2.11 only) -- back-ported the support for the internal ssl version range
0001-Ticket-47928-Disable-SSL-v3-by-default-389-ds-base-1.patch

nhosoi commented 4 years ago

Since it's a back-porting, consider it's already acked.

Pushed to 389-ds-base-1.2.11:
099d1ce..8550aaf 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 17fc03c

nhosoi commented 4 years ago

Pushed to 389-ds-base-1.3.1:
d1b5c7a..d4d34b2 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit d4d34b245905886742f18d63da83c4edddf973ea

Pushed to 389-ds-base-1.3.2:
a31bd5c..f7ae1e8 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
commit f7ae1e8

nhosoi commented 4 years ago

git patch file (1.2.11 branch) -- additional fix for "TLS1 can't be turned off"
0001-Ticket-47928-Disable-SSL-v3-by-default-389-ds-base-1.2.patch

nhosoi commented 4 years ago

Thank you for the review, Rich!

Pushed to 389-ds-base-1.2.11:
88ecf0c..37d5696 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit f0d0930

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.2.11.33

2 years ago

Metadata

Assignee

nhosoi

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

1.2.11.33

reviewstatus

ack

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1210996
https://bugzilla.redhat.com/show_bug.cgi?id=1153737
https://bugzilla.redhat.com/show_bug.cgi?id=1153739

origin

Community

389-ds-base

Source Code

#47928 Disable SSL v3, by default. Closed: Fixed None Opened 4 years ago by nhosoi.

Metadata

#47928 Disable SSL v3, by default.

Closed: Fixed None Opened 4 years ago by nhosoi.