https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14_release_notes
We will have to do this in ds, admin server, dsgw, adminutil, and perldap.
Description: NSS 3.14 deprecates the current way to configure SSL versions: SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3|SSL_ENABLE_TLS, True|False) Instead, it introduces new range APIs to provide more detailed SSL version control by using SSL_VersionRangeSet(pr_sock, NSSVersions). The NSSVersions has 2 fields "min" and "max", which take the minimum and maximum SSL versions.
By default, slapd_ssl_init2 sets the default supported range by NSS, which is min: SSL3 and max: TLS1.2. This patch adds 2 config params sslVersionMin and sslVersionMax to cn=encryption,cn=config to provide the ability to control the values.
Both takes: ssl3 or tls1.?. If the range is not supported by the NSS or conflicts with the current params nsSSL3 and nsTLS1, it'd be adjusted.
git patch file (master) 0001-Ticket-605-support-TLS-1.1.patch
{{{
124 attributeTypes: ( sslVersionMax NAME 'sslVersionMax' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
}}} should be sslVersionMax-oid to be consistent.
Please change "valud" to "value"
Otherwise, ack
git patch file (master) -- revised 0001-Ticket-605-support-TLS-1.1.2.patch
Rich, thank you for pointing out the typos!!
Revised and pushed to master: 9357bf1..88d4bec master -> master commit 88d4bec
Description: commit 88d4bec always expected the NSS version supporting TLS 1.2. It broke the build on the system having the NSS version that only supports TLS 1.1 (and older). This patch checks the NSS version and switches the supported TLS in ssl.c based upon the version info.
git patch file (master) -- adding backward compatibility 0001-Ticket-605-support-TLS-1.1-adding-backward-compatibi.patch
Reviewed by Rich (Thank you!!)
Pushed to master: 9ec7b92..5d60dab master -> master commit 5d60dab
mareynol@redhat.com wrote: Looks like there is logging early on in the startup process:
[05/Dec/2013:15:05:28 -0500] SSL Initialization - supported range: min: SSL3, max: TLS1.1
I see this on the command line when I restart my instances - as the error log has probably not been initialized yet. I don't think this should be displayed when restarting an instance. Can we remove this, or move it somewhere else where it won't go to stdout? Do you agree? Thoughts?
git patch file (master) -- lower the log level for the supported NSS version range 0001-Ticket-605-support-TLS-1.1-lower-the-log-level-for-t.patch
Thanks to mareynol@redhat.com for pointing out the problem and testing the patch.
Pushed to master: 24d1817..25e91e8 master -> master commit 25e91e8
git patch file (master) -- Fixing "Coverity 12415 - Logically dead code" 0001-Ticket-605-support-TLS-1.1-Fixing-Coverity-12415-Log.patch
Pushed to master: 9a0fb6a..4ae7645 master -> master commit 4ae7645
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1044191
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.3.3 - 11/13 (November)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/605
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.