Hi Guys, My packages: 389-ds-base1.4.2.8-20200414gitfae920fc8.el8.x86_64 openssl-1.1.1c-2.el8.x86_64
I'm trying to set tls-protocol-min to TLS 1.0 but it's not working, I used dsconf and ldapmodify like this:
dn: cn=encryption,cn=config changetype: modify replace: sslVersionMin sslVersionMin: TLS1.1 - replace: sslVersionMax sslVersionMax: TLS1.2
Also tried to set on variables like this: nsTLS11: on nsTLS10: on
dsconf RNP security set --tls-protocol-min="TLS1.0"
Set Allow Weak Ciphers to on, but seems to be related to ssl3 and not TLS. Change cipher suite to all
All commands seems to works, also modify my dse.ldif but When I start my 389:
[28/Apr/2020:23:10:58.855549735 -0300] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.2 [28/Apr/2020:23:10:58.858132149 -0300] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2
This last try was setting to --tls-protocol-min="TLS1.1"
Thanks
Alberto Viana
This is a known problem. We moved the default minimum to TLS 1.2 (from 1.0), but it's not working correctly and it will not allow you to set 1.0 at all. We will fix it shortly...
On 4/29/20 10:25 AM, Alberto Viana wrote:
Hi Guys, My packages: 389-ds-base1.4.2.8-20200414gitfae920fc8.el8.x86_64 openssl-1.1.1c-2.el8.x86_64
I'm trying to set tls-protocol-min to TLS 1.0 but it's not working, I used dsconf and ldapmodify like this:
dn: cn=encryption,cn=config changetype: modify replace: sslVersionMin sslVersionMin: TLS1.1
replace: sslVersionMax sslVersionMax: TLS1.2
Also tried to set on variables like this: nsTLS11: on nsTLS10: on
dsconf RNP security set --tls-protocol-min="TLS1.0"
Set Allow Weak Ciphers to on, but seems to be related to ssl3 and not TLS. Change cipher suite to all
All commands seems to works, also modify my dse.ldif but When I start my 389:
[28/Apr/2020:23:10:58.855549735 -0300] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.2 [28/Apr/2020:23:10:58.858132149 -0300] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2
This last try was setting to --tls-protocol-min="TLS1.1"
Thanks
Alberto Viana
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Mark,
One last doubt, what about TLS 1.3? 389 already supports it?
Thanks
Alberto Viana
On Wed, Apr 29, 2020 at 12:42 PM Mark Reynolds mreynolds@redhat.com wrote:
This is a known problem. We moved the default minimum to TLS 1.2 (from 1.0), but it's not working correctly and it will not allow you to set 1.0 at all. We will fix it shortly... On 4/29/20 10:25 AM, Alberto Viana wrote:
Hi Guys, My packages: 389-ds-base1.4.2.8-20200414gitfae920fc8.el8.x86_64 openssl-1.1.1c-2.el8.x86_64
I'm trying to set tls-protocol-min to TLS 1.0 but it's not working, I used dsconf and ldapmodify like this:
dn: cn=encryption,cn=config changetype: modify replace: sslVersionMin sslVersionMin: TLS1.1
replace: sslVersionMax sslVersionMax: TLS1.2
Also tried to set on variables like this: nsTLS11: on nsTLS10: on
dsconf RNP security set --tls-protocol-min="TLS1.0"
Set Allow Weak Ciphers to on, but seems to be related to ssl3 and not TLS. Change cipher suite to all
All commands seems to works, also modify my dse.ldif but When I start my 389:
[28/Apr/2020:23:10:58.855549735 -0300] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.2 [28/Apr/2020:23:10:58.858132149 -0300] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2
This last try was setting to --tls-protocol-min="TLS1.1"
Thanks
Alberto Viana
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
--
389 Directory Server Development Team
If the version of nss on your system is capable of TLS1.3, then we should support it.
On 22 May 2020, at 08:50, Alberto Viana albertocrj@gmail.com wrote:
Mark,
One last doubt, what about TLS 1.3? 389 already supports it?
Thanks
Alberto Viana
On Wed, Apr 29, 2020 at 12:42 PM Mark Reynolds mreynolds@redhat.com wrote: This is a known problem. We moved the default minimum to TLS 1.2 (from 1.0), but it's not working correctly and it will not allow you to set 1.0 at all. We will fix it shortly...
On 4/29/20 10:25 AM, Alberto Viana wrote:
Hi Guys, My packages: 389-ds-base1.4.2.8-20200414gitfae920fc8.el8.x86_64 openssl-1.1.1c-2.el8.x86_64
I'm trying to set tls-protocol-min to TLS 1.0 but it's not working, I used dsconf and ldapmodify like this:
dn: cn=encryption,cn=config changetype: modify replace: sslVersionMin sslVersionMin: TLS1.1
replace: sslVersionMax sslVersionMax: TLS1.2
Also tried to set on variables like this: nsTLS11: on nsTLS10: on
dsconf RNP security set --tls-protocol-min="TLS1.0"
Set Allow Weak Ciphers to on, but seems to be related to ssl3 and not TLS. Change cipher suite to all
All commands seems to works, also modify my dse.ldif but When I start my 389:
[28/Apr/2020:23:10:58.855549735 -0300] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.2 [28/Apr/2020:23:10:58.858132149 -0300] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2
This last try was setting to --tls-protocol-min="TLS1.1"
Thanks
Alberto Viana
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
--
389 Directory Server Development Team
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
389-users@lists.fedoraproject.org
-
Alberto Viana -
Mark Reynolds -
William Brown