As reported on 389-users mailing list:
Using the DS console and changing a single setting resets all the ciphers and SSL settings. So it will enable SSL3 which should remain off.
Here I just used the console to set "Do not allow client authentication", and this is what the console did(note nsSSL3 was off):
time: 20150120113536 dn: cn=RSA,cn=encryption,cn=config changetype: modify replace: nsSSLToken nsSSLToken: internal (software) - replace: nsSSLPersonalitySSL nsSSLPersonalitySSL: Server-Cert - replace: nsSSLActivation nsSSLActivation: on - replace: objectClass objectClass: top objectClass: nsEncryptionModule time: 20150120113536 dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: off - replace: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+tls_rsa_expo rt1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha - replace: nsKeyfile nsKeyfile: alias/slapd-localhost-key3.db - replace: nsCertfile nsCertfile: alias/slapd-localhost-cert8.db time: 20150120113536 dn: cn=config changetype: modify replace: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off - time: 20150120113536 dn: cn=slapd-localhost,cn=389 Directory Server,cn=Server Group,cn=localhost.localdomain,ou=example.com,o=NetscapeRoot changetype: modify replace: nsServerSecurity nsServerSecurity: on -
attachment 0001-Ticket-47994-DS-Console-always-sets-nsSSL3-to-on-whe.patch
To ssh://git.fedorahosted.org/git/389/ds-console.git 970e8b1..f668294 master -> master
commit f668294a80f37dad8be85348fbe582e817ef2361 Author: Mark Reynolds mreynolds@redhat.com Date: Tue Jan 20 12:47:37 2015 -0500
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1184175
Metadata Update from @mreynolds: - Issue assigned to mreynolds - Issue set to the milestone: 389-admin,console 1.1.36
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1325
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.