Bug 1160466

Summary: support TLS 1.1 and later
Product: [Fedora] Fedora Reporter: Rich Megginson <rmeggins>
Component: openldapAssignee: Jan Synacek <jsynacek>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jsynacek, jv+fedora, mreynolds, phracek, rik.theys, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.40-2.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1160467 1164889 (view as bug list) Environment:
Last Closed: 2014-11-14 09:26:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1160467, 1160468, 1164889    
Attachments:
Description Flags
openldap patch
none
Official patch to openldap none

Description Rich Megginson 2014-11-04 21:40:29 UTC 
Description of problem:
I don't believe tls_m.c supports TLS 1.1 and later.  This requires some additional NSS APIs.  You should be able to tell openldap to support TLS protocols > 1.0 with TLS_PROTOCOL_MIN

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Rich Megginson 2014-11-04 21:41:22 UTC 
This needs to go into all versions of Fedora ASAP.  Should I clone this for all Fedora releases?
Comment 2 mreynolds 2014-11-08 00:18:41 UTC 
Created attachment 955151 [details]
openldap patch
Comment 3 Jan Synacek 2014-11-10 08:41:35 UTC 
Mark, could you please submit the patch upstream and link the ITS to this bugzilla? Thanks!
Comment 4 mreynolds 2014-11-12 20:29:21 UTC 
Created attachment 956867 [details]
Official patch to openldap
Comment 5 mreynolds 2014-11-12 20:30:52 UTC 
(In reply to Jan Synacek from comment #3)
> Mark, could you please submit the patch upstream and link the ITS to this
> bugzilla? Thanks!

Jan,

The patch has been submitted to openldap:  ITS#7979

Thanks,
Mark
Comment 6 Jan Synacek 2014-11-14 09:26:54 UTC 
Pushed:
http://pkgs.fedoraproject.org/cgit/openldap.git/commit/?id=4b2abac9db548c3ce7f44df72517eec50d68eefc

Mark, could you please verify that the functionality remains? I had to backport the upstream patch, the code in rawhide openldap is quite different...
Comment 7 mreynolds 2014-11-14 15:29:38 UTC 
(In reply to Jan Synacek from comment #6)
> Pushed:
> http://pkgs.fedoraproject.org/cgit/openldap.git/commit/
> ?id=4b2abac9db548c3ce7f44df72517eec50d68eefc
> 
> Mark, could you please verify that the functionality remains? I had to
> backport the upstream patch, the code in rawhide openldap is quite
> different...

Jan, so there is no "pvers" table in rawhide?  Can I look at the internal repo?  If so, not sure how to(you can email me offline with the details)?

The rest of the patch, the important part, looks good.

Thanks,
Mark