Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] - Error message have duplicate alerts when you try to set sslVersionMin = "ssl2" #1622

Closed
389-ds-bot opened this issue Sep 13, 2020 · 2 comments
Closed

[RFE] - Error message have duplicate alerts when you try to set sslVersionMin = "ssl2" #1622

389-ds-bot opened this issue Sep 13, 2020 · 2 comments
Labels
closed: not a bug Migration flag - Issue
Milestone
1.3.5 backlog

Comments

@389-ds-bot
Copy link

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/48291

Description of problem:
Error message have duplicate alters when you try to set sslVersionMin = "ssl2"

Version-Release number of selected component (if applicable):
[root@dhcp201-167 /]# rpm -qa | grep 389
389-ds-base-libs-1.3.4.0-13.el7.x86_64
389-ds-base-1.3.4.0-13.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
=====================
1. set values ::
nsTLS1: on
nsSSL2: off
nsSSL3: off
AND
> > sslVersionMin: TLS1.0
> > sslVersionMax: TLS1.2

2. Now try modify sslVersionMin to "ssl2"

Actual results:
=================
Error Logs ::
[20/Aug/2015:15:22:01 +051800] - SSL alert: Security Initialization: The value
of sslVersionMin "ssl2" is lower than the supported version; the default value
"SSL3" is used.
[20/Aug/2015:15:22:01 +051800] - SSL alert: nsTLS1 is on, but the version range
is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0,
max: TLS1.2.
[20/Aug/2015:15:22:01 +051800] SSL Initialization - Configured SSL version
range: min: TLS1.0, max: TLS1.2
[20/Aug/2015:15:22:01 +051800] - 389-Directory/1.3.4.0 B2015.231.1727 starting
up
[20/Aug

Expected results:
==================
First alert is misleading in error logs which says -- SSL alert: Security
Initialization: The value of sslVersionMin "ssl2" is lower than the supported
version; the default value "SSL3" is used.

While actual setting Server does is -- SSL alert: nsTLS1 is on, but the version
range is lower than "TLS1.0"; Configuring the version range as default min:
TLS1.0, max: TLS1.2.

So server should not log the first alert at all.
Second alert is accurate and enough.

Additional info:
Check https://bugzilla.redhat.com/show_bug.cgi?id=1044191#c9 for more details
regarding original fix.
FOR QA - there is a test case trac605 in ssl.sh for this bug.
@389-ds-bot 389-ds-bot added the closed: not a bug Migration flag - Issue label Sep 13, 2020
@389-ds-bot 389-ds-bot added this to the 1.3.5 backlog milestone Sep 13, 2020
@389-ds-bot
Copy link
Author

Comment from nhosoi (@nhosoi) at 2015-12-19 02:43:13

The error messages look reasonable.

  1. Now try modify sslVersionMin to "ssl2"

The first alert: The value of sslVersionMin "ssl2" is lower than the supported version; the default value "SSL3" is used.

The version ssl2 is strictly prohibited; it is lower than the library's supported minimum version SSL3.

The second aleart: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2.

This is talking about the Directory Server's configuration.

@389-ds-bot
Copy link
Author

Comment from nhosoi (@nhosoi) at 2017-02-11 23:03:28

Metadata Update from @nhosoi:

  • Issue set to the milestone: 1.3.5 backlog

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed: not a bug Migration flag - Issue
Projects
None yet
Milestone
1.3.5 backlog
Development

No branches or pull requests
1 participant
@389-ds-bot