Hello,
I installed a new version of 389:
389-Directory/1.3.4.8 B2016.063.1654
And I'm getting these warnings:
[30/Mar/2016:10:47:39 -0300] - SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable nsSSL3 in cn=encryption,cn=config. [30/Mar/2016:10:47:39 -0300] - SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1 are on. Respect the supported range.
I already disabled nsSSL2 and nsSSL3:
dn: cn=encryption,cn=config changetype: modify replace: nsSSL2 nsSSL2: off - replace: nsSSL3 nsSSL3: off - replace: nsTLS1 nsTLS1: on
and confirmed that my server is only accepting TLS connections
Also tried to delete nsssl3ciphers: dn: cn=encryption,cn=config changetype: modify delete: nsssl3ciphers
But it comes back.
Why I'm still getting these warnings even after to disable nsSSL2 and nsSSL3?
Thanks
Alberto Viana
On 03/30/2016 06:57 AM, Alberto Viana wrote:
Hello,
I installed a new version of 389:
389-Directory/1.3.4.8 http://1.3.4.8 B2016.063.1654
And I'm getting these warnings:
[30/Mar/2016:10:47:39 -0300] - SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable nsSSL3 in cn=encryption,cn=config.
This means nsSSL3 is enabled when the server was started.
[30/Mar/2016:10:47:39 -0300] - SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1 are on. Respect the supported range.
This means sslVersionMin is TLS1.0 and sslVersionMax is TLS1.2.
nsSSL2, nsSSL3, and nsTLS1 are old format to specify the SSL version(s). The new format is sslVersionMin and sslVersionMax. They coexist for the backward compatibility.
The default settings are:
* nsSSL2, nsSSL3: off * nsTLS1: on * sslVersionMin: TLS1.0 * sslVersionMax: supported highest TLS version
To prevent the POODLE attack, 389-ds-base disables SSLv3 by default. To enable SSLv3, both nsSSL3 needs to be on and sslVersionMin needs to be SSL3. This is for avoiding the accidental setting SSLv3 (which we don't recommend).
In your case, nsSSL3 was on when the server was started. Please note that the SSL configuration is done at the server start up. If you change the config parameters, you have to restart the server.
That said, this message says SSLv3 (nsSSL3: on) was ignored and the available range is [TLS1.0 - TLS1.2].
[30/Mar/2016:10:47:39 -0300] - SSL alert: Configured range: min:
TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1 are on. Respect the supported range.
I already disabled nsSSL2 and nsSSL3:
dn: cn=encryption,cn=config changetype: modify replace: nsSSL2 nsSSL2: off
replace: nsSSL3 nsSSL3: off
replace: nsTLS1 nsTLS1: on
and confirmed that my server is only accepting TLS connections
Also tried to delete nsssl3ciphers: dn: cn=encryption,cn=config changetype: modify delete: nsssl3ciphers
But it comes back.
Why I'm still getting these warnings even after to disable nsSSL2 and nsSSL3?
Thanks
Alberto Viana
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
389-users@lists.fedoraproject.org