#51129 SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version
Opened a month ago by mreynolds. Modified a month ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1841086

Description of problem:
Can't set TLS1.3 only:
dsconf -D "cn=Directory Manager" -w password server-rhel8 security set
--tls-protocol-min="TLS1.3" --tls-protocol-max="TLS1.3"

In the errors log:
[28/May/2020:10:43:53.375684424 +0000] - INFO - Security Initialization - SSL
info: Enabling default cipher set.
[28/May/2020:10:43:53.378715126 +0000] - INFO - Security Initialization - SSL
info: Configured NSS Ciphers
[28/May/2020:10:43:53.381513054 +0000] - INFO - Security Initialization - SSL
info:     TLS_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.384343219 +0000] - INFO - Security Initialization - SSL
info:     TLS_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.387125136 +0000] - INFO - Security Initialization - SSL
info:     TLS_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.390094372 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.393120493 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.396543422 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.399488105 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.402654569 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.405813851 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.409130700 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.412322762 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.415569617 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.418730879 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.421964352 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.425160738 +0000] - INFO - Security Initialization - SSL
info:     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.428036531 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.431078929 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.434031070 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.437141528 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.440249594 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.443296792 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.446272845 +0000] - INFO - Security Initialization - SSL
info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[28/May/2020:10:43:53.449356442 +0000] - INFO - Security Initialization - SSL
info:     TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.452447715 +0000] - INFO - Security Initialization - SSL
info:     TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.455552021 +0000] - INFO - Security Initialization - SSL
info:     TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.458537249 +0000] - INFO - Security Initialization - SSL
info:     TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.461462988 +0000] - INFO - Security Initialization - SSL
info:     TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.464465267 +0000] - INFO - Security Initialization - SSL
info:     TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[28/May/2020:10:43:53.480867138 +0000] - WARN - Security Initialization - SSL
alert: The value of sslVersionMax "TLS1.3" is higher than the supported
version; the default value "TLS1.2" is used.
[28/May/2020:10:43:53.484080805 +0000] - WARN - Security Initialization - SSL
alert: The min value of NSS version range "TLS1.3" is greater than the max
value "TLS1.2".
[28/May/2020:10:43:53.487373228 +0000] - WARN - Security Initialization - SSL
alert: Reset the max "TLS1.2" to supported max "TLS1.2".
[28/May/2020:10:43:53.490254562 +0000] - INFO - Security Initialization -
slapd_ssl_init2 - Configured SSL version range: min: TLS1.3, max: TLS1.2
[28/May/2020:10:43:53.493268543 +0000] - ERR - Security Initialization - SSL
failure: Security Initialization - slapd_ssl_init2 - Failed to set SSL range:
min: TLS1.3, max: TLS1.2 - error -12168 (SSL version range is not valid.)

[28/May/2020:10:43:53.496320862 +0000] - INFO - Security Initialization -
slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2


Version-Release number of selected component (if applicable):
389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766.x86_64
nss-3.44.0-15.el8.x86_64


How reproducible:
always

Steps to Reproduce:
1. dsconf -D "cn=Directory Manager" -w password server-rhel8 security set
--tls-protocol-min="TLS1.3" --tls-protocol-max="TLS1.3"
2. restart the server
3. check errors log

Actual results:
[28/May/2020:10:43:53.496320862 +0000] - INFO - Security Initialization -
slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2


Expected results:
NSS adjusted SSL version range: min: TLS1.3, max: TLS1.3

Additional info:
Works as expected on Fedora with 389-ds-base-1.4.3.8-1.fc32.x86_64

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1841086

a month ago

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Issue priority set to: major
- Issue set to the milestone: 1.4.3 (was: 0.0 NEEDS_TRIAGE)

a month ago

Login to comment on this ticket.

Metadata