please review: [389 Project] #47928: Disable SSL v3, by default.
by Noriko Hosoi
https://fedorahosted.org/389/ticket/47928
https://fedorahosted.org/389/attachment/ticket/47928/0001-Ticket-47928-Di...
git patch file (master) -- Changing the default SSL Version Min value
from TLS 1.1 to TLS 1.0.
On 11/13/2014 12:22 PM, 389 Project wrote:
> Comment (by nhosoi):
>
> Description:
> Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
> In dn: cn=encryption,cn=config,
> 0) Setting no SSL version attrs (using defaults); supported max is TLS1.2
> ==>
> SSL Initialization - Configured SSL version range: min: TLS1.0, max:
> TLS1.2
>
> 1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2
> sslVersionMin: TLS1.0
> sslVersionMax: TLS1.3
> nsSSL3: off
> nsTLS1: on
> ==>
> SSL Initialization - Configured SSL version range: min: TLS1.0, max:
> TLS1.2
> 2) Setting new SSL version attrs; supported max is TLS1.2
> sslVersionMin: TLS1.0
> sslVersionMax: TLS1.3
> ==>
> SSL Initialization - Configured SSL version range: min: TLS1.0, max:
> TLS1.2
>
> 3) Setting old/new SSL version attrs; conflict (new min is stricter);
> supported max is TLS1.2
> nsSSL3: on
> sslVersionMin: TLS1.0
> ==>
> SSL alert: Found unsecure configuration: nsSSL3: on; We strongly
> recommend to dis
> able nsSSL3 in cn=encryption,cn=config.
> SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3
> and nsTLS1
> are on. Respect the supported range.
> SSL Initialization - Configured SSL version range: min: TLS1.0, max:
> TLS1.2
>
> 4) Setting old/new SSL version attrs; conflict (old min is stricter);
> supported max is TLS1.2
> nsSSL3: off
> sslVersionMin: SSL3
> sslVersionMax: SSL3
> ==>
> SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0";
> Configuring
> the version range as default min: TLS1.0, max: TLS1.2.
> SSL Initialization - Configured SSL version range: min: TLS1.0, max:
> TLS1.2
>
> 5) Setting old/new SSL version attrs; no conflict; setting SSL3
> nsSSL3: on
> nsTLS1: off
> sslVersionMin: SSL3
> sslVersionMax: SSL3
> ==>
> SSL alert: Found unsecure configuration: nsSSL3: on; We strongly
> recommend to disable
> nsSSL3 in cn=encryption,cn=config.
> SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly
> recommend
> to set sslVersionMin higher than TLS1.0.
> SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3
>
9 years, 5 months
Please review (take 5): [389 Project] #47945: Add SSL/TLS version info to the access log
by Noriko Hosoi
https://fedorahosted.org/389/ticket/47945
https://fedorahosted.org/389/attachment/ticket/47945/0001-Ticket-47945-Ad...
git patch file (master) -- applied the change in comment:11
<https://fedorahosted.org/389/ticket/47945#comment:11> by Rich. Thank you!!
Once approved, I'm going to attach the code slapi_getSSLVersion_str to
this bug...
*Bug 1161807* <https://bugzilla.redhat.com/show_bug.cgi?id=1161807>
-[RFE] API to convert SSL version number to SSL version string
--noriko
On 11/10/2014 01:10 PM, 389 Project wrote:
> #47945: Add SSL/TLS version info to the access log
> -------------------------------------------------+-------------------------
> Reporter: nhosoi | Owner: nhosoi
> Type: defect | Status:
> Priority: major | accepted
> Component: Directory Server | Milestone: 1.3.3
> Resolution: | backlog
> Blocked By: | Version: 1.3.0
> Review: review? | Keywords:
> Red Hat Bugzilla: | Blocking:
> [https://bugzilla.redhat.com/show_bug.cgi?id=1153737| Ticket origin:
> 1153737] | Community
> -------------------------------------------------+-------------------------
>
> Comment (by rmeggins):
>
> Thanks. Almost there
> {{{
> if ((vnum & SSL_LIBRARY_VERSION_3_0) == SSL_LIBRARY_VERSION_3_0) {
> ...
> }}}
> This will only work for TLSv1.x. I would like to see support for TLSv2.x
> and later, something like this:
> {{{
> if (vnum >= SSL_LIBRARY_VERSION_3_0) {
> if (vnum == SSL_LIBRARY_VERSION_3_0) { /* SSL3 */
> if (buf && bufsize) {
> PR_snprintf(buf, bufsize, "SSL3");
> } else {
> vstr = slapi_ch_smprintf("SSL3");
> }
> } else { /* TLS v X.Y */
> const char *TLSFMT = "TLS%d.%d";
> int minor_offset = 0; /* e.g. 0x0401 -> TLS v 2.1, not 2.0 */
>
> if ((vnum & SSL_LIBRARY_VERSION_3_0) ==
> SSL_LIBRARY_VERSION_3_0) {
> minor_offset = 1; /* e.g. 0x0301 -> TLS v 1.0, not 1.1 */
> }
> if (buf && bufsize) {
> PR_snprintf(buf, bufsize, TLSFMT, (vnum >> 8) - 2, (vnum &
> 0xff) - minor_offset);
> } else {
> vstr = slapi_ch_smprintf(TLSFMT, (vnum >> 8) - 2, (vnum &
> 0xff) - minor_offset);
> }
> }
> } else { /* SSL2 or unknown */
> ...
> }
> }}}
> That way, if vnum > SSL_LIBRARY_VERSION_3_0 (e.g. vnum == 0x0400 e.g. TLS
> v2.0) our code will support it with no changes.
>
9 years, 5 months