mreynolds / 389-ds-base

Forked from 389-ds-base 6 years ago
Clone

c2bb628 Ticket #47928 - Disable SSL v3, by default.

Authored and Committed by nhosoi 9 years ago
    Ticket #47928 - Disable SSL v3, by default.
    
    Description:
    Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
    In dn: cn=encryption,cn=config,
    0) Setting no SSL version attrs (using defaults); supported max is TLS1.2
       ==>
       SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
    
    1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2
       sslVersionMin: TLS1.0
       sslVersionMax: TLS1.3
       nsSSL3: off
       nsTLS1: on
       ==>
       SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
    2) Setting new SSL version attrs; supported max is TLS1.2
       sslVersionMin: TLS1.0
       sslVersionMax: TLS1.3
       ==>
       SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
    
    3) Setting old/new SSL version attrs; conflict (new min is stricter); supported max is TLS1.2
       nsSSL3: on
       sslVersionMin: TLS1.0
       ==>
       SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to dis
       able nsSSL3 in cn=encryption,cn=config.
       SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1
        are on. Respect the supported range.
       SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
    
    4) Setting old/new SSL version attrs; conflict (old min is stricter); supported max is TLS1.2
       nsSSL3: off
       sslVersionMin: SSL3
       sslVersionMax: SSL3
       ==>
       SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring
        the version range as default min: TLS1.0, max: TLS1.2.
       SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
    
    5) Setting old/new SSL version attrs; no conflict; setting SSL3
       nsSSL3: on
       nsTLS1: off
       sslVersionMin: SSL3
       sslVersionMax: SSL3
       ==>
       SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable
       nsSSL3 in cn=encryption,cn=config.
       SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly recommend
       to set sslVersionMin higher than TLS1.0.
       SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3
    
    https://fedorahosted.org/389/ticket/47928
    
    Reviewed by mreynolds@redhat.com (Thank you, Mark!!)
    
    (cherry picked from commit ad7885eae64a2085a89d516c1106b578142be502)
    (cherry picked from commit 3e7321ba1641234651fbf1e8fc01bf9fbecbc696)
    
        
file modified
+1 -1
file modified
+42 -32