#51129 SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version
Closed: wontfix 2 years ago by mreynolds. Opened 2 years ago by mreynolds.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1841086

Description of problem:
Can't set TLS1.3 only:
dsconf -D "cn=Directory Manager" -w password server-rhel8 security set
--tls-protocol-min="TLS1.3" --tls-protocol-max="TLS1.3"

In the errors log:
[28/May/2020:10:43:53.375684424 +0000] - INFO - Security Initialization - SSL
info: Enabling default cipher set.
[28/May/2020:10:43:53.378715126 +0000] - INFO - Security Initialization - SSL
info: Configured NSS Ciphers
[28/May/2020:10:43:53.381513054 +0000] - INFO - Security Initialization - SSL
info:     TLS_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.384343219 +0000] - INFO - Security Initialization - SSL
info:     TLS_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.387125136 +0000] - INFO - Security Initialization - SSL
info:     TLS_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.390094372 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.393120493 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.396543422 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.399488105 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.402654569 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.405813851 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.409130700 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.412322762 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.415569617 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.418730879 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.421964352 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.425160738 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.428036531 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.431078929 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.434031070 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.437141528 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.440249594 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.443296792 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.446272845 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[28/May/2020:10:43:53.449356442 +0000] - INFO - Security Initialization - SSL
info:     TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.452447715 +0000] - INFO - Security Initialization - SSL
info:     TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.455552021 +0000] - INFO - Security Initialization - SSL
info:     TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.458537249 +0000] - INFO - Security Initialization - SSL
info:     TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.461462988 +0000] - INFO - Security Initialization - SSL
info:     TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.464465267 +0000] - INFO - Security Initialization - SSL
info:     TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[28/May/2020:10:43:53.480867138 +0000] - WARN - Security Initialization - SSL
alert: The value of sslVersionMax "TLS1.3" is higher than the supported
version; the default value "TLS1.2" is used.
[28/May/2020:10:43:53.484080805 +0000] - WARN - Security Initialization - SSL
alert: The min value of NSS version range "TLS1.3" is greater than the max
value "TLS1.2".
[28/May/2020:10:43:53.487373228 +0000] - WARN - Security Initialization - SSL
alert: Reset the max "TLS1.2" to supported max "TLS1.2".
[28/May/2020:10:43:53.490254562 +0000] - INFO - Security Initialization -
slapd_ssl_init2 - Configured SSL version range: min: TLS1.3, max: TLS1.2
[28/May/2020:10:43:53.493268543 +0000] - ERR - Security Initialization - SSL
failure: Security Initialization - slapd_ssl_init2 - Failed to set SSL range:
min: TLS1.3, max: TLS1.2 - error -12168 (SSL version range is not valid.)

[28/May/2020:10:43:53.496320862 +0000] - INFO - Security Initialization -
slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2


Version-Release number of selected component (if applicable):
389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766.x86_64
nss-3.44.0-15.el8.x86_64


How reproducible:
always

Steps to Reproduce:
1. dsconf -D "cn=Directory Manager" -w password server-rhel8 security set
--tls-protocol-min="TLS1.3" --tls-protocol-max="TLS1.3"
2. restart the server
3. check errors log

Actual results:
[28/May/2020:10:43:53.496320862 +0000] - INFO - Security Initialization -
slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2


Expected results:
NSS adjusted SSL version range: min: TLS1.3, max: TLS1.3

Additional info:
Works as expected on Fedora with 389-ds-base-1.4.3.8-1.fc32.x86_64

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1841086

2 years ago

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Issue priority set to: major
- Issue set to the milestone: 1.4.3 (was: 0.0 NEEDS_TRIAGE)

2 years ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds

2 years ago

Commit 2c8e339 relates to this ticket

Commit 2c8e339 relates to this ticket

e036c60..54cdd73 389-ds-base-1.4.3 -> 389-ds-base-1.4.3

f2dc78a..e4d41b9 389-ds-base-1.4.2 -> 389-ds-base-1.4.2

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/4182

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

2 years ago

Login to comment on this ticket.

Metadata
Related Pull Requests