#48291 [RFE] - Error message have duplicate alerts when you try to set sslVersionMin = "ssl2"
Closed: wontfix None Opened 8 years ago by nhosoi.

Description of problem:
 Error message have duplicate alters when you try to set sslVersionMin = "ssl2"

Version-Release number of selected component (if applicable):
[root@dhcp201-167 /]# rpm -qa | grep 389
389-ds-base-libs-1.3.4.0-13.el7.x86_64
389-ds-base-1.3.4.0-13.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
=====================
1. set values ::
nsTLS1: on
nsSSL2: off
nsSSL3: off
AND
> > sslVersionMin: TLS1.0
> > sslVersionMax: TLS1.2

2. Now try modify sslVersionMin to "ssl2"

Actual results:
=================
Error Logs ::
[20/Aug/2015:15:22:01 +051800] - SSL alert: Security Initialization: The value
of sslVersionMin "ssl2" is lower than the supported version; the default value
"SSL3" is used.
[20/Aug/2015:15:22:01 +051800] - SSL alert: nsTLS1 is on, but the version range
is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0,
max: TLS1.2.
[20/Aug/2015:15:22:01 +051800] SSL Initialization - Configured SSL version
range: min: TLS1.0, max: TLS1.2
[20/Aug/2015:15:22:01 +051800] - 389-Directory/1.3.4.0 B2015.231.1727 starting
up
[20/Aug

Expected results:
==================
First alert is misleading in error logs which says -- SSL alert: Security
Initialization: The value of sslVersionMin "ssl2" is lower than the supported
version; the default value "SSL3" is used.

While actual setting Server does is -- SSL alert: nsTLS1 is on, but the version
range is lower than "TLS1.0"; Configuring the version range as default min:
TLS1.0, max: TLS1.2.

So server should not log the first alert at all.
Second alert is accurate and enough.

Additional info:
Check https://bugzilla.redhat.com/show_bug.cgi?id=1044191#c9 for more details
regarding original fix.
FOR QA - there is a test case trac605 in ssl.sh for this bug.

The error messages look reasonable.

  1. Now try modify sslVersionMin to "ssl2"

The first alert: The value of sslVersionMin "ssl2" is lower than the supported version; the default value "SSL3" is used.

The version ssl2 is strictly prohibited; it is lower than the library's supported minimum version SSL3.

The second aleart: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2.

This is talking about the Directory Server's configuration.

Metadata Update from @nhosoi:
- Issue set to the milestone: 1.3.5 backlog

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1622

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Invalid)

3 years ago

Login to comment on this ticket.

Metadata