On 03/30/2016 06:57 AM, Alberto Viana wrote:
Hello,


I installed a new version of 389:

389-Directory/1.3.4.8 B2016.063.1654

And I'm getting these warnings:

[30/Mar/2016:10:47:39 -0300] - SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable nsSSL3 in cn=encryption,cn=config.
This means nsSSL3 is enabled when the server was started.
[30/Mar/2016:10:47:39 -0300] - SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1 are on. Respect the supported range.
This means sslVersionMin is TLS1.0 and sslVersionMax is TLS1.2.

nsSSL2, nsSSL3, and nsTLS1 are old format to specify the SSL version(s).  The new format is sslVersionMin and sslVersionMax.  They coexist for the backward compatibility.

The default settings are:
To prevent the POODLE attack, 389-ds-base disables SSLv3 by default.  To enable SSLv3, both nsSSL3 needs to be on and sslVersionMin needs to be SSL3.  This is for avoiding the accidental setting SSLv3 (which we don't recommend).

In your case, nsSSL3 was on when the server was started.  Please note that the SSL configuration is done at the server start up.  If you change the config parameters, you have to restart the server.

That said, this message says SSLv3 (nsSSL3: on) was ignored and the available range is [TLS1.0 - TLS1.2].
> [30/Mar/2016:10:47:39 -0300] - SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1 are on. Respect the supported range.


I already disabled nsSSL2 and nsSSL3:

dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL2
nsSSL2: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsTLS1
nsTLS1: on

and confirmed that my server is only accepting TLS connections

Also tried to delete nsssl3ciphers:
dn: cn=encryption,cn=config
changetype: modify
delete: nsssl3ciphers

But it comes back.


Why I'm still getting these warnings even after to disable nsSSL2 and nsSSL3?


Thanks

Alberto Viana


--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org