[389-devel] please review: [389 Project] #47928: Disable SSL v3, by default.

Noriko Hosoi nhosoi at redhat.com
Thu Nov 13 20:27:24 UTC 2014 

https://fedorahosted.org/389/ticket/47928

https://fedorahosted.org/389/attachment/ticket/47928/0001-Ticket-47928-Disable-SSL-v3-by-default.3.patch
git patch file (master) -- Changing the default SSL Version Min value 
from TLS 1.1 to TLS 1.0.

On 11/13/2014 12:22 PM, 389 Project wrote:
> Comment (by nhosoi):
>
>   Description:
>   Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
>   In dn: cn=encryption,cn=config,
>   0) Setting no SSL version attrs (using defaults); supported max is TLS1.2
>      ==>
>      SSL Initialization - Configured SSL version range: min: TLS1.0, max:
>   TLS1.2
>
>   1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2
>      sslVersionMin: TLS1.0
>      sslVersionMax: TLS1.3
>      nsSSL3: off
>      nsTLS1: on
>      ==>
>      SSL Initialization - Configured SSL version range: min: TLS1.0, max:
>   TLS1.2
>   2) Setting new SSL version attrs; supported max is TLS1.2
>      sslVersionMin: TLS1.0
>      sslVersionMax: TLS1.3
>      ==>
>      SSL Initialization - Configured SSL version range: min: TLS1.0, max:
>   TLS1.2
>
>   3) Setting old/new SSL version attrs; conflict (new min is stricter);
>   supported max is TLS1.2
>      nsSSL3: on
>      sslVersionMin: TLS1.0
>      ==>
>      SSL alert: Found unsecure configuration: nsSSL3: on; We strongly
>   recommend to dis
>      able nsSSL3 in cn=encryption,cn=config.
>      SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3
>   and nsTLS1
>       are on. Respect the supported range.
>      SSL Initialization - Configured SSL version range: min: TLS1.0, max:
>   TLS1.2
>
>   4) Setting old/new SSL version attrs; conflict (old min is stricter);
>   supported max is TLS1.2
>      nsSSL3: off
>      sslVersionMin: SSL3
>      sslVersionMax: SSL3
>      ==>
>      SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0";
>   Configuring
>       the version range as default min: TLS1.0, max: TLS1.2.
>      SSL Initialization - Configured SSL version range: min: TLS1.0, max:
>   TLS1.2
>
>   5) Setting old/new SSL version attrs; no conflict; setting SSL3
>      nsSSL3: on
>      nsTLS1: off
>      sslVersionMin: SSL3
>      sslVersionMax: SSL3
>      ==>
>      SSL alert: Found unsecure configuration: nsSSL3: on; We strongly
>   recommend to disable
>      nsSSL3 in cn=encryption,cn=config.
>      SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly
>   recommend
>      to set sslVersionMin higher than TLS1.0.
>      SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3
>

More information about the 389-devel mailing list