Bug 1255403

Summary: [RFE] - Error message have duplicate alerts when you try to set sslVersionMin = "ssl2"
Product: Red Hat Enterprise Linux 7 Reporter: Amita Sharma <amsharma>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED NOTABUG QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: amsharma, nkinder, rmeggins
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-18 20:44:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amita Sharma 2015-08-20 13:39:03 UTC 
Description of problem:
 Error message have duplicate alters when you try to set sslVersionMin = "ssl2"

Version-Release number of selected component (if applicable):
[root@dhcp201-167 /]# rpm -qa | grep 389
389-ds-base-libs-1.3.4.0-13.el7.x86_64
389-ds-base-1.3.4.0-13.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
=====================
1. set values ::
nsTLS1: on
nsSSL2: off
nsSSL3: off
AND
> > sslVersionMin: TLS1.0
> > sslVersionMax: TLS1.2

2. Now try modify sslVersionMin to "ssl2"

Actual results:
=================
Error Logs ::
[20/Aug/2015:15:22:01 +051800] - SSL alert: Security Initialization: The value of sslVersionMin "ssl2" is lower than the supported version; the default value "SSL3" is used.
[20/Aug/2015:15:22:01 +051800] - SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2.
[20/Aug/2015:15:22:01 +051800] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
[20/Aug/2015:15:22:01 +051800] - 389-Directory/1.3.4.0 B2015.231.1727 starting up
[20/Aug

Expected results:
==================
First alert is misleading in error logs which says -- SSL alert: Security Initialization: The value of sslVersionMin "ssl2" is lower than the supported version; the default value "SSL3" is used.

While actual setting Server does is -- SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2.

So server should not log the first alert at all.
Second alert is accurate and enough.

Additional info:
Check https://bugzilla.redhat.com/show_bug.cgi?id=1044191#c9 for more details regarding original fix.
FOR QA - there is a test case trac605 in ssl.sh for this bug.
Comment 4 Noriko Hosoi 2015-09-24 00:51:51 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/48291
Comment 6 Noriko Hosoi 2015-12-18 20:44:31 UTC 
Please see this comment:
https://fedorahosted.org/389/ticket/48291#comment:1