Bug 1160467

Summary: support TLS 1.1 and later
Product: Red Hat Enterprise Linux 6 Reporter: Rich Megginson <rmeggins>
Component: openldapAssignee: Jan Synacek <jsynacek>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.7CC: ebenes, extras-qa, jsynacek, jv+fedora, lnykryn, mpoole, phracek, pkis, rh, rik.theys, rmeggins, sramling
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
* Support for the TLS protocol version 1.1 and later has been added. (BZ#1160467)
 Story Points: ---
Clone Of: 1160466
: 1160468 (view as bug list) Environment:
Last Closed: 2015-07-22 06:18:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1160466, 1164889    
Bug Blocks: 1160468    
Attachments:
Description Flags
add tls1.2 ciphers
rmeggins: review+
V2 patch with more complete (and correct) cipher names rmeggins: review+

Description Rich Megginson 2014-11-04 21:42:12 UTC 
+++ This bug was initially created as a clone of Bug #1160466 +++

Description of problem:
I don't believe tls_m.c supports TLS 1.1 and later.  This requires some additional NSS APIs.  You should be able to tell openldap to support TLS protocols > 1.0 with TLS_PROTOCOL_MIN

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

--- Additional comment from Rich Megginson on 2014-11-04 16:41:22 EST ---

This needs to go into all versions of Fedora ASAP.  Should I clone this for all Fedora releases?
Comment 2 Sankar Ramalingam 2014-11-18 07:28:47 UTC 
This is blocking 389-ds-base to be tested with latest versions of TLS1.1, TLS1.2 and above. Hence, marking this as testBlocker
Comment 17 Martin Poole 2015-06-10 17:03:38 UTC 
Created attachment 1037365 [details]
add tls1.2 ciphers
Comment 18 Rich Megginson 2015-06-10 18:07:11 UTC 
Comment on attachment 1037365 [details]
add tls1.2 ciphers

https://bugzilla.redhat.com/attachment.cgi?id=1037365&action=diff#openldap-2.4.40/libraries/libldap/tls_m.c.tls12_ciphers_sec4

What about adding an option for SHA384?
Comment 19 Martin Poole 2015-06-11 08:37:12 UTC 
I put in the define for SSL_SHA384 since I noticed the recent discussion but I see no definitions for SHA384 hashes on ciphers in the 3.19.1 sources.
Comment 20 Rich Megginson 2015-06-11 14:21:35 UTC 
(In reply to Martin Poole from comment #19)
> I put in the define for SSL_SHA384 since I noticed the recent discussion but
> I see no definitions for SHA384 hashes on ciphers in the 3.19.1 sources.

ok.  ack.
Comment 21 Martin Poole 2015-06-12 12:27:32 UTC 
I appear to have got at least one name wrong, and am checking whether I managed the full suite of TLSv1.2 ciphers.  Should have new patch shortly.
Comment 22 Martin Poole 2015-06-12 14:51:28 UTC 
Created attachment 1038095 [details]
V2 patch with more complete (and correct) cipher names
Comment 24 errata-xmlrpc 2015-07-22 06:18:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1292.html