cgrzemba / 389-ds-base

Forked from 389-ds-base 5 years ago
Clone

524d127 Ticket #47928 - Disable SSL v3, by default.

Authored and Committed by nhosoi 9 years ago
    Ticket #47928 - Disable SSL v3, by default.
    
    Description:
    There are 2 ways to specify the SSL version in in cn=encryption,cn=config.
     . existing method (SSL version info)
         nsSSL3: on|off
    	 nsTLS1: on|off
     . new method (SSL version range)
         sslVersionMin: <VERSION>
    	 sslVersionMax: <VERSION>
       where <VERSION> takes "SSL3", "TLS1.0" through "TLS1.2".
    
    If no SSL version info nor range are set in cn=encryption,cn=config,
         nsSSL3: off
    	 nsTLS1: on
         sslVersionMin is TLS1.1
         sslVersionMax is TLS1.2
    
    If SSL version info and range have conflicts, a tighter setting is
    chosen.  For instance, the case of sslVersionMin: TLS1.1; nsTLS1: off;
    nsSSL3: on, the range setting is respected.
         nsSSL3: off
    	 nsTLS1: on
         sslVersionMin is TLS1.1
         sslVersionMax is TLS1.2
    "SSL alert: Configured range: min: TLS1.1, max: TLS1.2; but nsSSL3 is on
    and nsTLS1 is off. Respect the configured range." is logged in the error
    log.
    
    When cn=encryption,cn=config is searched, the SSL version info as well
    as the range are retrieved from the settings in ssl.c and returned.
    E.g.,
    dn: cn=encryption,cn=config
    nsSSl2: off
    nsSSL3: off
    nsTLS1: on
    sslVersionMin: TLS1.1
    sslVersionMax: TLS1.2
    
    https://fedorahosted.org/389/ticket/47928
    
    Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
    
    (cherry picked from commit c1ecd8b659a0b8f7d84f8157cb69810c85ee26e4)
    
        
file modified
+40 -3
file modified
+226 -134