From e37295e000ba0744cca8c5406b513d657c0a6fb4 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <>
Date: Tue, 19 Jan 2021 09:31:32 +0100
Subject: [PATCH] ipatests: fix healthcheck test for
 ipahealthcheck.ds.encryption

389ds is combining the value set in dse.ldif and the current crypto
policy to evaluate the min TLS version that it will be using.
The test needs to change the crypto policy to LEGACY in order to allow
TLS 1.0, because the DEFAULT policy prevents TLS 1.0 on fc33+.

Fixes: https://pagure.io/freeipa/issue/8670

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
---
 ipatests/test_integration/test_ipahealthcheck.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 92ad1860e17..cc9c909ad26 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1026,6 +1026,10 @@ def modify_tls(self, restart_service):
         """
         instance = realm_to_serverid(self.master.domain.realm)
         cmd = ["systemctl", "restart", "dirsrv@{}".format(instance)]
+        # The crypto policy must be set to LEGACY otherwise 389ds
+        # combines crypto policy amd minSSLVersion and removes
+        # TLS1.0 on fedora>=33 as the DEFAULT policy forbids TLS1.0
+        self.master.run_command(['update-crypto-policies', '--set', 'LEGACY'])
         self.master.run_command(
             [
                 "dsconf",
@@ -1037,6 +1041,7 @@ def modify_tls(self, restart_service):
         )
         self.master.run_command(cmd)
         yield
+        self.master.run_command(['update-crypto-policies', '--set', 'DEFAULT'])
         self.master.run_command(
             [
                 "dsconf",