The nightly test test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption is failing on fedora 33 with 389-ds-base-1.4.4.9-1.fc33.x86_64, see PR #656 with the following logs and report:
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
self = <ipatests.test_integration.test_ipahealthcheck.TestIpaHealthCheck object at 0x7f06ac1efd30> modify_tls = None def test_ipahealthcheck_ds_encryption(self, modify_tls): """ This testcase modifies the default TLS version of DS instance to 1.0 and ensures that EncryptionCheck reports ERROR """ enc_msg = ( "This Directory Server may not be using strong TLS protocol " "versions. TLS1.0 is known to\nhave a number of issues with " "the protocol. " "Please see:\n\nhttps://tools.ietf.org/html/rfc7457\n\n" "It is advised you set this value to the maximum possible." ) returncode, data = run_healthcheck( self.master, "ipahealthcheck.ds.encryption", "EncryptionCheck", ) > assert returncode == 1 E assert 0 == 1 E +0 E -1
Test scenario: the test is setting sslMinVersion to TLS1.0: - dsconf slapd-IPA-TEST security set --tls-protocol-min=TLS1.0 - systemctl restart dirsrv@IPA-TEST then calls ipa-healthcheck to ensure the misconfiguration is properly detected: - ipa-healthcheck --source ipahealthcheck.ds.encryption --check EncryptionCheck --output-type json
dsconf slapd-IPA-TEST security set --tls-protocol-min=TLS1.0
systemctl restart dirsrv@IPA-TEST
ipa-healthcheck --source ipahealthcheck.ds.encryption --check EncryptionCheck --output-type json
The test works correctly on fedora32 but not on fedora33. The test also needs to do an additional step: update-crypto-policies --set LEGACY. This is because the DEFAULT policy is used by default and differs between fedora 32 and fedora33 (in fed32, TLS1.0 is allowed while not in fedora33). 389ds combines the value from sslMinVersion and the crypto policy and does not allow TLS1.0 even though it is set in dse.ldif in fedora33.
update-crypto-policies --set LEGACY
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5442
master:
ipa-4-8:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.