Bug 1249092

Summary: Setting olcTLSProtocolMin does not change supported protocols
Product: Red Hat Enterprise Linux 6 Reporter: Martin Poole <mpoole>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED ERRATA QA Contact: Stefan Kremen <skremen>
Severity: medium Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: high    
Version: 6.7CC: apetrova, arajendr, bressers, ebenes, mhonek, mlstarling31, mpoole, nkinder, pkis, pseeley, salmy, sardella
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.40-13.el6 Doc Type: Bug Fix
Doc Text:
OpenLDAP now correctly sets NSS settings Previously, the OpenLDAP server used an incorrect handling of network security settings (NSS) code. As a consequence, settings were not applied, which caused certain NSS options, such as "olcTLSProtocolMin", not to work correctly. This update addresses the bug and as a result, the affected NSS options now work as expected.
 Story Points: ---
Clone Of:
: 1249093 1375432 (view as bug list) Environment:
Last Closed: 2017-03-21 10:18:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1247675, 1249093, 1253743, 1269194, 1310222, 1365846, 1375432    

Description Martin Poole 2015-07-31 13:24:16 UTC 
Description of problem:

Following release of "Bug 1160467 - support TLS 1.1 and later" it should be possible to select the minimum TLS protocol level.

Version-Release number of selected component (if applicable):

openldap-2.4.40-5.el6

How reproducible:

Always

Steps to Reproduce:
1. configure for SSL

dn: cn=config
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.3


2. restart service
3. perform openssl s_client check.



Actual results:

openssl s_client -connect rhel6-64.example.com:636 -tls1
CONNECTED(00000003)
depth=2 O = example.com, CN = clica CA
verify return:1
depth=1 O = example.com, CN = clica Signing Cert
verify return:1
depth=0 CN = rhel6-64.example.com
verify return:1
---
Certificate chain
 0 s:/CN=rhel6-64.example.com
   i:/O=example.com/CN=clica Signing Cert
 1 s:/O=example.com/CN=clica Signing Cert
   i:/O=example.com/CN=clica CA
 2 s:/O=example.com/CN=clica CA
   i:/O=example.com/CN=clica CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJTCCAw2gAwIBAgIEKNMgUDANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtl
eGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTE0MDMw
MzE3NDE0MFoXDTM4MDEwMzE3NDE0MFowHzEdMBsGA1UEAxMUcmhlbDYtNjQuZXhh
bXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCw6bvXq9l7
mHbhQ6v4BrnECLSAIMXXZsHXhdpKnjLwNXMfa4YxWjX5h/B0KXrHpQ02HZNn3uZR
uf9LEX1dANbYR36R9CyffoGtRQYgJ5wAfJryDaxZadpbah48Uh5aTSu2S3Z3naoJ
SULfeYdlLNr6lgvbBQs1y5uxgENSavvFilO/NwMjzyhD3hlq5imwUzdNblrmnrwi
/MfSIN5m706VhW5XN8I887g63bynH4d26sOfnIvEOcZqGNnYw4pVgR/qzPHX3nw+
7I4GGzGUcwYYphOD2ZBoJOexv32vw7ffanpUTHo1pY6JmRufMvdPD2dIze8IdaCG
jExm6Ymu0oOpR6VmKFRr6A7j5M+Ec7psHLvxIEoHF66vyeyU9bzl8sYX17CMKmxb
FyUkCapghc4eKmb75X0oBDuWY08f1CUphRcM5mJmoYIM6oGVlWAye0fQLbBCK2ca
rl1DtS8l5e2dZDI7czU1G3f3RcxPhpPGGxUSuZbgYRvUA+a9sFMU2VG/ycnDywPr
dLIIjCv9JIJrkQzTXHyZwBA6VyZwlC8QF3b2tekPPZaZ6388iTJ8DqYqnIkLzIub
41pdpBjNvNxSwygtzIvnHX+VVOlVq/2HR1Ouoaa6yJZT9DHNYdUPrcIwQv4JxxP+
CqCXg77glAiuVqCjG7eknGCv/vJcPcNwswIDAQABo1UwUzAOBgNVHQ8BAf8EBAMC
BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdEQQYMBaC
FHJoZWw2LTY0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4ICAQBWZXWG72r/
MwKqpr+WtSkO3Uu1HytZ0vvm3gaiJ+cC9T/89ztRz9uQf/WBJJBCUpj4/bXvgs8e
vydJo+s9NjSyVMvv88ReTEIBELpen1G0M6K2jhoTJiynVdn2XCB35hBJJ0le/WVY
oSamlGbNqsrxadjKVADsVsBLrdWx1LzVBGZXtGnvBITi9w0cLOE+FvvpKgb+YLpI
GxurtuQJj1KhAL6tYHiPd7v83QGVllLBaCmWD/reqCT+narQYMT4W1sgPEeajojl
as2p8KYQoSU5tvmP/sKgx6m4eGM6AVNdf9Vt6Mu6vUvWHwMqQB8hxfRmeX1xeRkC
RbdeXFspOxgURzUgUD6dv15JOSDIO8NU1lmZvIX2CEd8dzzCKxY65YSZd84dAnxO
QdaNmliNm16SbZ+I/z0WkGzEyUBs2rNuN1wFX9sVRXMwPHyZQERko5CkzsvuCXxf
/ej9rYqZAAujQdGw2t3pKTDn02DRrMng2JXD3ezhBP+srcol/mpfPhC5374tsWWd
0/zSie+dOCrya7jpFvJI0gRLdyTWMY6AkKp3nylRwi2cksIRaWgUkNOrTEK5+asK
tTcdkA8pn7cFb1qGOEUhTV8TmUudXemB8OfsYc7lcCpZFvYtWb5JJoefetneMqf8
gEO3OSRIUwjWnJCGehnSkPwd5IbRFWE44w==
-----END CERTIFICATE-----
subject=/CN=rhel6-64.example.com
issuer=/O=example.com/CN=clica Signing Cert
---
No client certificate CA names sent
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 4663 bytes and written 321 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 0A159951963EC6420D80001F50BAE04FD38BFB868AF5EF3C070480DCED883EAB
    Session-ID-ctx:
    Master-Key: E9630471D6A8D5774339F886074C6ED83BDA403D320B0EEFD709492868D03C4FAC558CBB2298872044CA73AAB093F219
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1438348837
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---



Expected results:

Connection should fail.

Additional info:

Despite various attempts I'm not able to add any debugging which actually shows the passing of the protocol setting to the NSS codebase (tls_m.c)
Comment 20 errata-xmlrpc 2017-03-21 10:18:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0664.html