Back to bug 1330758
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Marc Sauton | 2016-04-27 17:56:33 UTC | Summary | rfe/backport 389-ds-base min max TLS version support from RHEL 7 into RHEL 6, to disable TLS1.0 | add a nsTLS1.0 on or off new configuration parameter to cn=encryption,cn=config in RHEL 6 389-ds-base |
| Noriko Hosoi | 2016-05-03 20:53:20 UTC | Status | NEW | ASSIGNED |
| Noriko Hosoi | 2016-05-10 23:03:18 UTC | Status | ASSIGNED | POST |
| Chris Williams | 2016-07-14 15:28:55 UTC | Blocks | 1269194 | |
| Martin Kosek | 2016-08-18 09:48:51 UTC | Blocks | 1365846 | |
| Noriko Hosoi | 2016-10-06 20:28:42 UTC | Status | POST | MODIFIED |
| Fixed In Version | 389-ds-base-1.2.11.15-83.el6 | |||
| errata-xmlrpc | 2016-10-06 21:02:52 UTC | Status | MODIFIED | ON_QA |
| Tomas Krizek | 2016-10-20 13:53:22 UTC | Blocks | 1367026 | |
| Amita Sharma | 2016-12-02 10:07:44 UTC | Status | ON_QA | VERIFIED |
| CC | amsharma | |||
| Aneta Šteflová Petrová | 2016-12-12 08:15:44 UTC | Blocks | 1403694 | |
| Noriko Hosoi | 2017-01-10 18:57:14 UTC | Doc Text | Problem: Directory Server on rhel-6 has no way to disable TLS1.0 but enable TLS1.1 and higher. Fix: This fix adds config params nsTLS10, nsTLS11 and nsTLS12 to cn=encryption,cn=config so that the definition of nsTLS1 remains intact if the new parameters are not specified explicitely. If nsTLS10, nsTLS11 or nsTLS12 appear in the config entry, nsTLS1 is ignored and the new parameters are added. By default, TLS are configured as follows: cn=encryption,cn=config nsTLS1: on nsTLS10,nsTLS11,nsTLS12: ignored Result: Directory Server on rhel-6 has an ability to disable TLS1.0 but enable TLS1.1 and higher by setting as follows: cn=encryption,cn=config nsTLS10: off nsTLS11: on nsTLS12: on | |
| Doc Type | Bug Fix | Enhancement | ||
| Marc Muehlfeld | 2017-01-11 17:19:46 UTC | Docs Contact | mmuehlfe | |
| Marc Muehlfeld | 2017-01-19 07:45:13 UTC | CC | nhosoi | |
| Doc Text | Problem: Directory Server on rhel-6 has no way to disable TLS1.0 but enable TLS1.1 and higher. Fix: This fix adds config params nsTLS10, nsTLS11 and nsTLS12 to cn=encryption,cn=config so that the definition of nsTLS1 remains intact if the new parameters are not specified explicitely. If nsTLS10, nsTLS11 or nsTLS12 appear in the config entry, nsTLS1 is ignored and the new parameters are added. By default, TLS are configured as follows: cn=encryption,cn=config nsTLS1: on nsTLS10,nsTLS11,nsTLS12: ignored Result: Directory Server on rhel-6 has an ability to disable TLS1.0 but enable TLS1.1 and higher by setting as follows: cn=encryption,cn=config nsTLS10: off nsTLS11: on nsTLS12: on | Directory Server now supports enabling and disabling specific TLS versions Previously, Directory Server running on Red Hat Enterprise Linux 6 provided no configuration options to enable or disable specific TLS versions. For example, it was not possible to disable the insecure TLS 1.0 protocol while keeping later versions enabled. This updates adds the "nsTLS10", "nsTLS11", and "nsTLS12" parameters to the "cn=encryption,cn=config" entry. As a result, it is now possible to configure specific TLS protocol versions in Directory Server. Note, that these parameters have a higher priority than the "nsTLS1" parameter, that enables or disables all TLS protocol versions. | ||
| Flags | needinfo?(nhosoi) | |||
| Noriko Hosoi | 2017-01-19 23:43:14 UTC | Flags | needinfo?(nhosoi) | |
| errata-xmlrpc | 2017-03-21 00:57:56 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2017-03-21 10:21:10 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2017-03-21 06:21:10 UTC | |||
| Simon Pichugin | 2020-09-13 21:43:48 UTC | Link ID | Github 389ds/389-ds-base/issues/1876 |
Back to bug 1330758