Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1841086
Description of problem: Can't set TLS1.3 only: dsconf -D "cn=Directory Manager" -w password server-rhel8 security set --tls-protocol-min="TLS1.3" --tls-protocol-max="TLS1.3" In the errors log: [28/May/2020:10:43:53.375684424 +0000] - INFO - Security Initialization - SSL info: Enabling default cipher set. [28/May/2020:10:43:53.378715126 +0000] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [28/May/2020:10:43:53.381513054 +0000] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [28/May/2020:10:43:53.384343219 +0000] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [28/May/2020:10:43:53.387125136 +0000] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [28/May/2020:10:43:53.390094372 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [28/May/2020:10:43:53.393120493 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [28/May/2020:10:43:53.396543422 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [28/May/2020:10:43:53.399488105 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [28/May/2020:10:43:53.402654569 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [28/May/2020:10:43:53.405813851 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [28/May/2020:10:43:53.409130700 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [28/May/2020:10:43:53.412322762 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [28/May/2020:10:43:53.415569617 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [28/May/2020:10:43:53.418730879 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [28/May/2020:10:43:53.421964352 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [28/May/2020:10:43:53.425160738 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [28/May/2020:10:43:53.428036531 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [28/May/2020:10:43:53.431078929 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [28/May/2020:10:43:53.434031070 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [28/May/2020:10:43:53.437141528 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [28/May/2020:10:43:53.440249594 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [28/May/2020:10:43:53.443296792 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [28/May/2020:10:43:53.446272845 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [28/May/2020:10:43:53.449356442 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [28/May/2020:10:43:53.452447715 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [28/May/2020:10:43:53.455552021 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [28/May/2020:10:43:53.458537249 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [28/May/2020:10:43:53.461462988 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [28/May/2020:10:43:53.464465267 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [28/May/2020:10:43:53.480867138 +0000] - WARN - Security Initialization - SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version; the default value "TLS1.2" is used. [28/May/2020:10:43:53.484080805 +0000] - WARN - Security Initialization - SSL alert: The min value of NSS version range "TLS1.3" is greater than the max value "TLS1.2". [28/May/2020:10:43:53.487373228 +0000] - WARN - Security Initialization - SSL alert: Reset the max "TLS1.2" to supported max "TLS1.2". [28/May/2020:10:43:53.490254562 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.3, max: TLS1.2 [28/May/2020:10:43:53.493268543 +0000] - ERR - Security Initialization - SSL failure: Security Initialization - slapd_ssl_init2 - Failed to set SSL range: min: TLS1.3, max: TLS1.2 - error -12168 (SSL version range is not valid.) [28/May/2020:10:43:53.496320862 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2 Version-Release number of selected component (if applicable): 389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766.x86_64 nss-3.44.0-15.el8.x86_64 How reproducible: always Steps to Reproduce: 1. dsconf -D "cn=Directory Manager" -w password server-rhel8 security set --tls-protocol-min="TLS1.3" --tls-protocol-max="TLS1.3" 2. restart the server 3. check errors log Actual results: [28/May/2020:10:43:53.496320862 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2 Expected results: NSS adjusted SSL version range: min: TLS1.3, max: TLS1.3 Additional info: Works as expected on Fedora with 389-ds-base-1.4.3.8-1.fc32.x86_64
Metadata Update from @mreynolds: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1841086
Metadata Update from @mreynolds: - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Issue priority set to: major - Issue set to the milestone: 1.4.3 (was: 0.0 NEEDS_TRIAGE)
Metadata Update from @mreynolds: - Issue assigned to mreynolds
https://pagure.io/389-ds-base/pull-request/51216
Commit 2c8e339 relates to this ticket
e036c60..54cdd73 389-ds-base-1.4.3 -> 389-ds-base-1.4.3
f2dc78a..e4d41b9 389-ds-base-1.4.2 -> 389-ds-base-1.4.2
Metadata Update from @mreynolds: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/4182
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.