Skip to content

389-ds-base-1.3.3.1-9

389-ds-base-1.3.3.1-9: Ticket #47928 - Disable SSL v3, by default.
@nhosoi nhosoi tagged this 13 Nov 23:29 
Description:
Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
In dn: cn=encryption,cn=config,
0) Setting no SSL version attrs (using defaults); supported max is TLS1.2
   ==>
   SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2

1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2
   sslVersionMin: TLS1.0
   sslVersionMax: TLS1.3
   nsSSL3: off
   nsTLS1: on
   ==>
   SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
2) Setting new SSL version attrs; supported max is TLS1.2
   sslVersionMin: TLS1.0
   sslVersionMax: TLS1.3
   ==>
   SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2

3) Setting old/new SSL version attrs; conflict (new min is stricter); supported max is TLS1.2
   nsSSL3: on
   sslVersionMin: TLS1.0
   ==>
   SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to dis
   able nsSSL3 in cn=encryption,cn=config.
   SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1
    are on. Respect the supported range.
   SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2

4) Setting old/new SSL version attrs; conflict (old min is stricter); supported max is TLS1.2
   nsSSL3: off
   sslVersionMin: SSL3
   sslVersionMax: SSL3
   ==>
   SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring
    the version range as default min: TLS1.0, max: TLS1.2.
   SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2

5) Setting old/new SSL version attrs; no conflict; setting SSL3
   nsSSL3: on
   nsTLS1: off
   sslVersionMin: SSL3
   sslVersionMax: SSL3
   ==>
   SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable
   nsSSL3 in cn=encryption,cn=config.
   SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly recommend
   to set sslVersionMin higher than TLS1.0.
   SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3

https://fedorahosted.org/389/ticket/47928

Reviewed by mreynolds@redhat.com (Thank you, Mark!!)

(cherry picked from commit ad7885eae64a2085a89d516c1106b578142be502)
(cherry picked from commit 3e7321ba1641234651fbf1e8fc01bf9fbecbc696)
Assets 2
Loading