From 3548738f9df0ab7a2df009def81a6fba86b32921 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: May 01 2020 13:58:06 +0000
Subject: Issue 51060 - unable to set sslVersionMin to TLS1.0


Description:  When processing the "sslVersionMin" attribute we were incorrectly
              setting it to TLS1.2 (current default level)

fixes: https://pagure.io/389-ds-base/issue/51060

Reviewed by: firstyear(Thanks!)

---

diff --git a/dirsrvtests/tests/suites/tls/ssl_version_test.py b/dirsrvtests/tests/suites/tls/ssl_version_test.py
index acc8b23..d9dae5a 100644
--- a/dirsrvtests/tests/suites/tls/ssl_version_test.py
+++ b/dirsrvtests/tests/suites/tls/ssl_version_test.py
@@ -19,10 +19,12 @@ def test_ssl_version_range(topo):
         1. Get current default range
         2. Set sslVersionMin and verify it is applied after a restart
         3. Set sslVersionMax and verify it is applied after a restart
+        4. Sanity test all the min/max versions
     :expectedresults:
         1. Success
         2. Success
         3. Success
+        4. Success
     """
 
     topo.standalone.enable_tls()
@@ -47,6 +49,16 @@ def test_ssl_version_range(topo):
     max = enc.get_attr_val_utf8('sslVersionMax')
     assert max == default_min
 
+    # Sanity test all the min/max versions
+    for attr, versions in [('sslVersionMin', ['TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.0']),
+                           ('sslVersionMax', ['TLS1.0', 'TLS1.1', 'TLS1.2'])]:
+        for version in versions:
+            # Test that the setting is correctly applied after a restart
+            enc.replace(attr, version)
+            topo.standalone.restart()
+            current_val = enc.get_attr_val_utf8(attr)
+            assert current_val == version
+
 
 if __name__ == '__main__':
     # Run isolated
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 2d7ba3e..846106b 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1373,7 +1373,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
                                    val, emin);
                     (*rval) = enabledNSSVersions.min;
                 } else {
-                    (*rval) = CURRENT_DEFAULT_SSL_VERSION;
+                    (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
                 }
             } else {
                 if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
@@ -1384,7 +1384,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
                                    val, emax);
                     (*rval) = enabledNSSVersions.max;
                 } else {
-                    (*rval) = CURRENT_DEFAULT_SSL_VERSION;
+                    (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
                 }
             }
         } else if (tlsv < 1.2f) { /* TLS1.1 */