Description of problem: Error message have duplicate alters when you try to set sslVersionMin = "ssl2" Version-Release number of selected component (if applicable): [root@dhcp201-167 /]# rpm -qa | grep 389 389-ds-base-libs-1.3.4.0-13.el7.x86_64 389-ds-base-1.3.4.0-13.el7.x86_64 How reproducible: Always Steps to Reproduce: ===================== 1. set values :: nsTLS1: on nsSSL2: off nsSSL3: off AND > > sslVersionMin: TLS1.0 > > sslVersionMax: TLS1.2 2. Now try modify sslVersionMin to "ssl2" Actual results: ================= Error Logs :: [20/Aug/2015:15:22:01 +051800] - SSL alert: Security Initialization: The value of sslVersionMin "ssl2" is lower than the supported version; the default value "SSL3" is used. [20/Aug/2015:15:22:01 +051800] - SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2. [20/Aug/2015:15:22:01 +051800] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [20/Aug/2015:15:22:01 +051800] - 389-Directory/1.3.4.0 B2015.231.1727 starting up [20/Aug Expected results: ================== First alert is misleading in error logs which says -- SSL alert: Security Initialization: The value of sslVersionMin "ssl2" is lower than the supported version; the default value "SSL3" is used. While actual setting Server does is -- SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2. So server should not log the first alert at all. Second alert is accurate and enough. Additional info: Check https://bugzilla.redhat.com/show_bug.cgi?id=1044191#c9 for more details regarding original fix. FOR QA - there is a test case trac605 in ssl.sh for this bug.
The error messages look reasonable.
Now try modify sslVersionMin to "ssl2"
The first alert: The value of sslVersionMin "ssl2" is lower than the supported version; the default value "SSL3" is used.
The version ssl2 is strictly prohibited; it is lower than the library's supported minimum version SSL3.
The second aleart: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2.
This is talking about the Directory Server's configuration.
Metadata Update from @nhosoi: - Issue set to the milestone: 1.3.5 backlog
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1622
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Invalid)
Login to comment on this ticket.