#50355 NSS can change the requested SSL min and max versions
Closed: wontfix 4 years ago by mreynolds. Opened 4 years ago by mreynolds.

Issue Description

In the errors log at startup we report what the requested/condfigured min and max SSL version range is, but NSS can change this. So we need to report the the actual SSL version range after we apply it to the socket:

[08/May/2019:11:01:28.244547706 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2

But NSS actually changes this to: min: TLS1.2, max: TLS1.2

We need to revise the server logging to report this "adjustment".


We already log SSL_VersionRangeGetSupported -- returns the supported range (usually wider than the default set). We should also log SSL_VersionRangeGetDefault -- returns the default, i.e. the case when no explicit setting was made by an application. You might have a look at what I did for OpenLDAP before.

Metadata Update from @mhonek:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Issue tagged with: Security

4 years ago

commit 3d4c48e

ba68333..1427641 389-ds-base-1.4.0 -> 389-ds-base-1.4.0

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

Commit 57b990d relates to this ticket

Commit 57b990d relates to this ticket

60ce15b..f46334f 389-ds-base-1.4.0 -> 389-ds-base-1.4.0

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/3414

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

3 years ago

Login to comment on this ticket.

Metadata
Related Pull Requests