Search nssVersion in 'cn=encryption,cn=config' can report wrong value

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47943

• Created at 2014-11-06 22:25:15 by tbordaz (@tbordaz)
• Closed as Duplicate
• Assigned to nobody

---

The test case is:

• Create/start an instance
• updates sslVersionMin=tls1.0 (a value different than the initial value)
• ldapsearch "cn=encryption,cn=config" and check that reported sslVersionMin != tls1.0 (it contains the initial value)
• Check in dse.ldif that the sslVersionMin in "cn=encryption,cn=config" contains tls1.0
• restart the instance
• ldapsearch "cn=encryption,cn=config" report the new value tls1.0

The reason is that search_encryption reports sslVersion[Min|Max] from slapdNSSVersions.min|max that are set at startup.

A workaround is to restart the instance

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2014-11-06 23:30:19

The SSL Version Range is set in slapd_ssl_init2, which is called from main at the startup.

The entry point for slapd_ssl_init and slapd_ssl_init2 are prepared in get_entry_point, but it looks they are not called dynamically. That's said, SSL Version's dynamic update is not implemented yet.

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2014-11-11 04:40:30

Making a dup of this ticket 47452 - configure NSS - add/remove keys, certs, settings - without server restart

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2017-02-11 23:02:17

Metadata Update from @nhosoi:

• Issue set to the milestone: N/A