On the new installation, SSL v3 should be disabled by default, and provide the safe cipher suites.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1153737
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1153739
git patch file (master) 0001-Ticket-47928-Disable-SSL-v3-by-default.patch
git patch file (master) -- CI test: added test cases for ticket 47928 0002-Ticket-47928-CI-test-added-test-cases-for-ticket-479.patch
Reviewed by Rich (Thank you!!)
Pushed to master: be67f81..958be12 master -> master commit c1ecd8b commit 958be12
Pushed to 389-ds-base-1.3.3: 96d7459..b7b4981 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 524d127 commit b7b4981
We have to decide what to do to 1.3.2 and 1.2.11.
coverity fix for defect: 12783 - Logically dead code 0001-Ticket-47928-Disable-SSL-v3-by-default.2.patch
Pushed to master: 3cdf0eb..77989d3 master -> master commit 77989d3
Pushed to 389-ds-base-1.3.3: 738d985..29a4160 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 29a4160
Note: still open for 1.3.2 and 1.2.11.
I vote for these to backported to 1.2.11. poodlebleed also affects tls1.0 (basically the same thing as SSL3), and in 1.3.2/1.2.11 there is no way to tell DS to use tls1.1 and up, only "nsTLS: on" - which allows tls1.0 (bad).
git patch file (master) -- Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0. 0001-Ticket-47928-Disable-SSL-v3-by-default.3.patch
Description: Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0. In dn: cn=encryption,cn=config, 0) Setting no SSL version attrs (using defaults); supported max is TLS1.2 ==> SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2 sslVersionMin: TLS1.0 sslVersionMax: TLS1.3 nsSSL3: off nsTLS1: on ==> SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 2) Setting new SSL version attrs; supported max is TLS1.2 sslVersionMin: TLS1.0 sslVersionMax: TLS1.3 ==> SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
3) Setting old/new SSL version attrs; conflict (new min is stricter); supported max is TLS1.2 nsSSL3: on sslVersionMin: TLS1.0 ==> SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to dis able nsSSL3 in cn=encryption,cn=config. SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1 are on. Respect the supported range. SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
4) Setting old/new SSL version attrs; conflict (old min is stricter); supported max is TLS1.2 nsSSL3: off sslVersionMin: SSL3 sslVersionMax: SSL3 ==> SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2. SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
5) Setting old/new SSL version attrs; no conflict; setting SSL3 nsSSL3: on nsTLS1: off sslVersionMin: SSL3 sslVersionMax: SSL3 ==> SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable nsSSL3 in cn=encryption,cn=config. SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly recommend to set sslVersionMin higher than TLS1.0. SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3
Reviewed by Mark (Thank you!!)
Pushed to master: 6b4ade8..ad7885e master -> master commit ad7885e
Pushed to 389-ds-base-1.3.3: 6a435f1..3e7321b 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 3e7321b
git patch file (1.2.11 only) -- back-ported the support for the internal ssl version range 0001-Ticket-47928-Disable-SSL-v3-by-default-389-ds-base-1.patch
Since it's a back-porting, consider it's already acked.
Pushed to 389-ds-base-1.2.11: 099d1ce..8550aaf 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit 17fc03c
Pushed to 389-ds-base-1.3.1: d1b5c7a..d4d34b2 389-ds-base-1.3.1 -> 389-ds-base-1.3.1 commit d4d34b245905886742f18d63da83c4edddf973ea
Pushed to 389-ds-base-1.3.2: a31bd5c..f7ae1e8 389-ds-base-1.3.2 -> 389-ds-base-1.3.2 commit f7ae1e8
git patch file (1.2.11 branch) -- additional fix for "TLS1 can't be turned off" 0001-Ticket-47928-Disable-SSL-v3-by-default-389-ds-base-1.2.patch
Thank you for the review, Rich!
Pushed to 389-ds-base-1.2.11: 88ecf0c..37d5696 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit f0d0930
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.2.11.33
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1259
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.