Skip to content

389-ds-base-1.3.3.1-7

389-ds-base-1.3.3.1-7: Ticket #47928 - Disable SSL v3, by default.
@nhosoi nhosoi tagged this 23 Oct 20:49 
Description:
There are 2 ways to specify the SSL version in in cn=encryption,cn=config.
 . existing method (SSL version info)
     nsSSL3: on|off
	 nsTLS1: on|off
 . new method (SSL version range)
     sslVersionMin: <VERSION>
	 sslVersionMax: <VERSION>
   where <VERSION> takes "SSL3", "TLS1.0" through "TLS1.2".

If no SSL version info nor range are set in cn=encryption,cn=config,
     nsSSL3: off
	 nsTLS1: on
     sslVersionMin is TLS1.1
     sslVersionMax is TLS1.2

If SSL version info and range have conflicts, a tighter setting is
chosen.  For instance, the case of sslVersionMin: TLS1.1; nsTLS1: off;
nsSSL3: on, the range setting is respected.
     nsSSL3: off
	 nsTLS1: on
     sslVersionMin is TLS1.1
     sslVersionMax is TLS1.2
"SSL alert: Configured range: min: TLS1.1, max: TLS1.2; but nsSSL3 is on
and nsTLS1 is off. Respect the configured range." is logged in the error
log.

When cn=encryption,cn=config is searched, the SSL version info as well
as the range are retrieved from the settings in ssl.c and returned.
E.g.,
dn: cn=encryption,cn=config
nsSSl2: off
nsSSL3: off
nsTLS1: on
sslVersionMin: TLS1.1
sslVersionMax: TLS1.2

https://fedorahosted.org/389/ticket/47928

Reviewed by rmeggins@redhat.com (Thank you, Rich!!)

(cherry picked from commit c1ecd8b659a0b8f7d84f8157cb69810c85ee26e4)
(cherry picked from commit 524d127f14d3bb666d8ac11a277c4ef60693045f)
Assets 2
Loading