[389-devel] please review: [389 Project] #47928: Disable SSL v3, by default.
Noriko Hosoi
nhosoi at redhat.com
Thu Nov 13 20:27:24 UTC 2014
https://fedorahosted.org/389/ticket/47928
https://fedorahosted.org/389/attachment/ticket/47928/0001-Ticket-47928-Disable-SSL-v3-by-default.3.patch
git patch file (master) -- Changing the default SSL Version Min value
from TLS 1.1 to TLS 1.0.
On 11/13/2014 12:22 PM, 389 Project wrote:
> Comment (by nhosoi):
>
> Description:
> Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
> In dn: cn=encryption,cn=config,
> 0) Setting no SSL version attrs (using defaults); supported max is TLS1.2
> ==>
> SSL Initialization - Configured SSL version range: min: TLS1.0, max:
> TLS1.2
>
> 1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2
> sslVersionMin: TLS1.0
> sslVersionMax: TLS1.3
> nsSSL3: off
> nsTLS1: on
> ==>
> SSL Initialization - Configured SSL version range: min: TLS1.0, max:
> TLS1.2
> 2) Setting new SSL version attrs; supported max is TLS1.2
> sslVersionMin: TLS1.0
> sslVersionMax: TLS1.3
> ==>
> SSL Initialization - Configured SSL version range: min: TLS1.0, max:
> TLS1.2
>
> 3) Setting old/new SSL version attrs; conflict (new min is stricter);
> supported max is TLS1.2
> nsSSL3: on
> sslVersionMin: TLS1.0
> ==>
> SSL alert: Found unsecure configuration: nsSSL3: on; We strongly
> recommend to dis
> able nsSSL3 in cn=encryption,cn=config.
> SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3
> and nsTLS1
> are on. Respect the supported range.
> SSL Initialization - Configured SSL version range: min: TLS1.0, max:
> TLS1.2
>
> 4) Setting old/new SSL version attrs; conflict (old min is stricter);
> supported max is TLS1.2
> nsSSL3: off
> sslVersionMin: SSL3
> sslVersionMax: SSL3
> ==>
> SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0";
> Configuring
> the version range as default min: TLS1.0, max: TLS1.2.
> SSL Initialization - Configured SSL version range: min: TLS1.0, max:
> TLS1.2
>
> 5) Setting old/new SSL version attrs; no conflict; setting SSL3
> nsSSL3: on
> nsTLS1: off
> sslVersionMin: SSL3
> sslVersionMax: SSL3
> ==>
> SSL alert: Found unsecure configuration: nsSSL3: on; We strongly
> recommend to disable
> nsSSL3 in cn=encryption,cn=config.
> SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly
> recommend
> to set sslVersionMin higher than TLS1.0.
> SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3
>
More information about the 389-devel
mailing list