#4802 Investigate & document if TLS 1.2 is properly supported
Closed: Fixed None Opened 9 years ago by pspacek.

Looking back to POODLE I can see that move from SSL 3.0 to TLS 1.0 caused great pain because of unforeseen integration problems.

IMHO we should check that latest IPA server with sufficiently new clients can work if the only enabled TLS version is 1.2.

That will give us some confidence that we are ready for next protocol version bump and it will also help us to uncover problems before next emergency situation.


Nice side-effect of this work could be list of settings which need to be changed to bump minimal TLS version number so the next bump will be just applying the list.

Potential candidate for Christian.

Martin, did you actually assign a ticket to me two months before my first day at Red Hat? :)

During processing of remaining tickets in 4.2 Backlog, this ticket was found as suitable to be fixed in the nearest bugfixing branch - which is 4.2.x.

FreeIPA 4.2.1 was released, moving to 4.2.x.

Christian, I guess we can close this ticket, right?

Yes, TLSv1.2 is fine.

We can open another ticket to track TLSv1.3 another time. I expect that the standard will be finalized by the end of the year or early next year. NSS has experimental support for the latest draft. OpenSSL has no code for TLSv1.3 yet.

Metadata Update from @pspacek:
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.4.2

7 years ago

Login to comment on this ticket.

Metadata