[389-devel] Please review: [389 Project] #605: support TLS 1.1

Noriko Hosoi nhosoi at redhat.com
Sat Nov 16 00:11:47 UTC 2013


https://fedorahosted.org/389/ticket/605

https://fedorahosted.org/389/attachment/ticket/605/0001-Ticket-605-support-TLS-1.1.patch

  Description:
  NSS 3.14 deprecates the current way to configure SSL versions:
    SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3|SSL_ENABLE_TLS, True|False)
  Instead, it introduces new range APIs to provide more detailed SSL
  version control by using SSL_VersionRangeSet(pr_sock, NSSVersions).
  The NSSVersions has 2 fields "min" and "max", which take the minimum
  and maximum SSL versions.

  By default, slapd_ssl_init2 sets the default supported range by NSS,
  which is min: SSL3 and max: TLS1.2.  This patch adds 2 config params
  sslVersionMin and sslVersionMax to cn=encryption,cn=config to provide
  the ability to control the values.

  Both takes: ssl3 or tls1.?.  If the range is not supported by the
  NSS or conflicts with the current params nsSSL3 and nsTLS1, it'd be
  adjusted.



More information about the 389-devel mailing list