[389-devel] Please review: [389 Project] #605: support TLS 1.1
Noriko Hosoi
nhosoi at redhat.com
Sat Nov 16 00:11:47 UTC 2013
https://fedorahosted.org/389/ticket/605
https://fedorahosted.org/389/attachment/ticket/605/0001-Ticket-605-support-TLS-1.1.patch
Description:
NSS 3.14 deprecates the current way to configure SSL versions:
SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3|SSL_ENABLE_TLS, True|False)
Instead, it introduces new range APIs to provide more detailed SSL
version control by using SSL_VersionRangeSet(pr_sock, NSSVersions).
The NSSVersions has 2 fields "min" and "max", which take the minimum
and maximum SSL versions.
By default, slapd_ssl_init2 sets the default supported range by NSS,
which is min: SSL3 and max: TLS1.2. This patch adds 2 config params
sslVersionMin and sslVersionMax to cn=encryption,cn=config to provide
the ability to control the values.
Both takes: ssl3 or tls1.?. If the range is not supported by the
NSS or conflicts with the current params nsSSL3 and nsTLS1, it'd be
adjusted.
More information about the 389-devel
mailing list