#605 support TLS 1.1
Closed: wontfix None Opened 8 years ago by rmeggins.

https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14_release_notes

We will have to do this in ds, admin server, dsgw, adminutil, and perldap.


Description:
NSS 3.14 deprecates the current way to configure SSL versions:
SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3|SSL_ENABLE_TLS, True|False)
Instead, it introduces new range APIs to provide more detailed SSL
version control by using SSL_VersionRangeSet(pr_sock, NSSVersions).
The NSSVersions has 2 fields "min" and "max", which take the minimum
and maximum SSL versions.

By default, slapd_ssl_init2 sets the default supported range by NSS,
which is min: SSL3 and max: TLS1.2. This patch adds 2 config params
sslVersionMin and sslVersionMax to cn=encryption,cn=config to provide
the ability to control the values.

Both takes: ssl3 or tls1.?. If the range is not supported by the
NSS or conflicts with the current params nsSSL3 and nsTLS1, it'd be
adjusted.

{{{

124 attributeTypes: ( sslVersionMax NAME 'sslVersionMax' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )

}}}
should be sslVersionMax-oid to be consistent.

Please change "valud" to "value"

Otherwise, ack

Rich, thank you for pointing out the typos!!

Revised and pushed to master:
9357bf1..88d4bec master -> master
commit 88d4bec

Description: commit 88d4bec always
expected the NSS version supporting TLS 1.2. It broke the build on
the system having the NSS version that only supports TLS 1.1 (and
older). This patch checks the NSS version and switches the supported
TLS in ssl.c based upon the version info.

Reviewed by Rich (Thank you!!)

Pushed to master:
9ec7b92..5d60dab master -> master
commit 5d60dab

mareynol@redhat.com wrote:
Looks like there is logging early on in the startup process:

[05/Dec/2013:15:05:28 -0500] SSL Initialization - supported range: min: SSL3, max: TLS1.1

I see this on the command line when I restart my instances - as the error log has probably not been initialized yet. I don't think this should be displayed when restarting an instance. Can we remove this, or move it somewhere else where it won't go to stdout? Do you agree? Thoughts?

git patch file (master) -- lower the log level for the supported NSS version range
0001-Ticket-605-support-TLS-1.1-lower-the-log-level-for-t.patch

Thanks to mareynol@redhat.com for pointing out the problem and testing the patch.

Pushed to master:
24d1817..25e91e8 master -> master
commit 25e91e8

git patch file (master) -- Fixing "Coverity 12415 - Logically dead code"
0001-Ticket-605-support-TLS-1.1-Fixing-Coverity-12415-Log.patch

Pushed to master:
9a0fb6a..4ae7645 master -> master
commit 4ae7645

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.3 - 11/13 (November)

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/605

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

8 months ago

Login to comment on this ticket.

Metadata