Ticket #47928 - Disable SSL v3, by default.
Description:
There are 2 ways to specify the SSL version in in cn=encryption,cn=config.
. existing method (SSL version info)
nsSSL3: on|off
nsTLS1: on|off
. new method (SSL version range)
sslVersionMin: <VERSION>
sslVersionMax: <VERSION>
where <VERSION> takes "SSL3", "TLS1.0" through "TLS1.2".
If no SSL version info nor range are set in cn=encryption,cn=config,
nsSSL3: off
nsTLS1: on
sslVersionMin is TLS1.1
sslVersionMax is TLS1.2
If SSL version info and range have conflicts, a tighter setting is
chosen. For instance, the case of sslVersionMin: TLS1.1; nsTLS1: off;
nsSSL3: on, the range setting is respected.
nsSSL3: off
nsTLS1: on
sslVersionMin is TLS1.1
sslVersionMax is TLS1.2
"SSL alert: Configured range: min: TLS1.1, max: TLS1.2; but nsSSL3 is on
and nsTLS1 is off. Respect the configured range." is logged in the error
log.
When cn=encryption,cn=config is searched, the SSL version info as well
as the range are retrieved from the settings in ssl.c and returned.
E.g.,
dn: cn=encryption,cn=config
nsSSl2: off
nsSSL3: off
nsTLS1: on
sslVersionMin: TLS1.1
sslVersionMax: TLS1.2
https://fedorahosted.org/389/ticket/47928
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit c1ecd8b659a0b8f7d84f8157cb69810c85ee26e4)
(cherry picked from commit 524d127f14d3bb666d8ac11a277c4ef60693045f)