Bug 1330758

Summary: add a nsTLS1.0 on or off new configuration parameter to cn=encryption,cn=config in RHEL 6 389-ds-base
Product: Red Hat Enterprise Linux 6 Reporter: Marc Sauton <msauton>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 6.7CC: amsharma, nhosoi, nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.11.15-83.el6 Doc Type: Enhancement
Doc Text:
Directory Server now supports enabling and disabling specific TLS versions Previously, Directory Server running on Red Hat Enterprise Linux 6 provided no configuration options to enable or disable specific TLS versions. For example, it was not possible to disable the insecure TLS 1.0 protocol while keeping later versions enabled. This updates adds the "nsTLS10", "nsTLS11", and "nsTLS12" parameters to the "cn=encryption,cn=config" entry. As a result, it is now possible to configure specific TLS protocol versions in Directory Server. Note, that these parameters have a higher priority than the "nsTLS1" parameter, that enables or disables all TLS protocol versions.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-21 10:21:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1269194, 1365846, 1367026, 1403694    

Description Marc Sauton 2016-04-26 21:32:59 UTC 
Description of problem:

389-ds-base got added support of TLS1.1 starting in 389-ds-base-1.2.11.15-55.el6 but there is no way to select the minimum TLS version on the server side like in RHEL 7, which is TLS1.0 by default on RHEL 6.

this is a customer request to add support of sslversionmin and sslversionmax in RHEL 6 389-ds-base, the goal is to disable TLS1.0


Version-Release number of selected component (if applicable):
389-ds-base-1.2.11.15-72.el6_7.x86_64


How reproducible:
always, default SSL/TLS configuration


Steps to Reproduce:

1. RHDS install with SSL/TLS config, and in dse.ldif:
dn: cn=encryption,cn=config
nsSSL2: off
nsSSL3: off
nsTLS1: on

2. trying to mimic a "legacy" LDAP client that cannot do TLS1.1 nor TLS1.2
echo "exit" |  openssl s_client -no_tls1_1 -no_tls1_2 -connect 10.14.5.15:636 | grep Protocol


Actual results:
the LDAP server accepts TLS 1.0:

depth=1 CN = CAcert
DONE
    Protocol  : TLSv1


Expected results:

need support for
dn: cn=encryption,cn=config
sslversionmin: TLS1.1
sslversionmax: TLS1.2


Additional info:

related bz
for rhel6 - 1118285 - [RFE] support TLSv1.1 and TLSv1.2, if supported by NSS
for rhel7 - 1044191 - [RFE] support TLSv1.1 and TLSv1.2, if supported by NSS
Comment 6 Noriko Hosoi 2016-05-03 20:53:20 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/48816
Comment 11 Amita Sharma 2016-12-02 10:07:44 UTC 
[0 root@qeos-254 tests]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.9 Beta (Santiago)

[0 root@qeos-254 tests]# rpm -qa | grep 389
389-ds-base-libs-1.2.11.15-85.el6.x86_64
389-ds-base-1.2.11.15-85.el6.x86_64

[0 root@qeos-254 tests]# start-dirsrv 
Starting instance "master_1"
[02/Dec/2016:05:04:16 -0500] - reading config file /etc/dirsrv/slapd-master_1/slapd-collations.conf
[02/Dec/2016:05:04:16 -0500] - line 45: collation "" "" "" 1 3	2.16.840.1.113730.3.3.2.0.1	default
[02/Dec/2016:05:04:16 -0500] - line 46: collation ar "" "" 1 3	2.16.840.1.113730.3.3.2.1.1	ar
[02/Dec/2016:05:04:16 -0500] - line 47: collation be "" "" 1 3	2.16.840.1.113730.3.3.2.2.1	be
[02/Dec/2016:05:04:16 -0500] - line 48: collation bg "" "" 1 3	2.16.840.1.113730.3.3.2.3.1	bg
[02/Dec/2016:05:04:16 -0500] - line 49: collation ca "" "" 1 3	2.16.840.1.113730.3.3.2.4.1	ca
[02/Dec/2016:05:04:16 -0500] - line 50: collation cs "" "" 1 3	2.16.840.1.113730.3.3.2.5.1	cs
[02/Dec/2016:05:04:16 -0500] - line 51: collation da "" "" 1 3	2.16.840.1.113730.3.3.2.6.1	da
[02/Dec/2016:05:04:16 -0500] - line 52: collation de "" "" 1 3	2.16.840.1.113730.3.3.2.7.1	de
[02/Dec/2016:05:04:16 -0500] - line 53: collation de AT "" 1 3	2.16.840.1.113730.3.3.2.8.1	de-AT
[02/Dec/2016:05:04:16 -0500] - line 54: collation de CH "" 1 3	2.16.840.1.113730.3.3.2.9.1	de-CH
[02/Dec/2016:05:04:16 -0500] - line 55: collation el "" "" 1 3	2.16.840.1.113730.3.3.2.10.1	el
[02/Dec/2016:05:04:16 -0500] - line 56: collation en "" "" 1 3	2.16.840.1.113730.3.3.2.11.1	en	en-US
[02/Dec/2016:05:04:16 -0500] - line 57: collation en CA "" 1 3	2.16.840.1.113730.3.3.2.12.1	en-CA
[02/Dec/2016:05:04:16 -0500] - line 58: collation en GB "" 1 3	2.16.840.1.113730.3.3.2.13.1	en-GB
[02/Dec/2016:05:04:16 -0500] - line 59: collation en IE "" 1 3	2.16.840.1.113730.3.3.2.14.1	en-IE
[02/Dec/2016:05:04:16 -0500] - line 60: collation es "" "" 1 3	2.16.840.1.113730.3.3.2.15.1	es	es-ES
[02/Dec/2016:05:04:16 -0500] - line 61: collation et "" "" 1 3	2.16.840.1.113730.3.3.2.16.1	et
[02/Dec/2016:05:04:16 -0500] - line 62: collation fi "" "" 1 3	2.16.840.1.113730.3.3.2.17.1	fi
[02/Dec/2016:05:04:16 -0500] - line 63: collation fr "" "" 1 3	2.16.840.1.113730.3.3.2.18.1	fr	fr-FR
[02/Dec/2016:05:04:16 -0500] - line 64: collation fr BE "" 1 3	2.16.840.1.113730.3.3.2.19.1	fr-BE
[02/Dec/2016:05:04:16 -0500] - line 65: collation fr CA "" 1 3	2.16.840.1.113730.3.3.2.20.1	fr-CA
[02/Dec/2016:05:04:16 -0500] - line 66: collation fr CH "" 1 3	2.16.840.1.113730.3.3.2.21.1	fr-CH
[02/Dec/2016:05:04:16 -0500] - line 67: collation hr "" "" 1 3	2.16.840.1.113730.3.3.2.22.1	hr
[02/Dec/2016:05:04:16 -0500] - line 68: collation hu "" "" 1 3	2.16.840.1.113730.3.3.2.23.1	hu
[02/Dec/2016:05:04:16 -0500] - line 69: collation is "" "" 1 3	2.16.840.1.113730.3.3.2.24.1	is
[02/Dec/2016:05:04:16 -0500] - line 70: collation it "" "" 1 3	2.16.840.1.113730.3.3.2.25.1	it
[02/Dec/2016:05:04:16 -0500] - line 71: collation it CH "" 1 3	2.16.840.1.113730.3.3.2.26.1	it-CH
[02/Dec/2016:05:04:16 -0500] - line 72: collation iw "" "" 1 3	2.16.840.1.113730.3.3.2.27.1	iw
[02/Dec/2016:05:04:16 -0500] - line 73: collation ja "" "" 1 3	2.16.840.1.113730.3.3.2.28.1	ja
[02/Dec/2016:05:04:16 -0500] - line 74: collation ko "" "" 1 3	2.16.840.1.113730.3.3.2.29.1	ko
[02/Dec/2016:05:04:16 -0500] - line 75: collation lt "" "" 1 3	2.16.840.1.113730.3.3.2.30.1	lt
[02/Dec/2016:05:04:16 -0500] - line 76: collation lv "" "" 1 3	2.16.840.1.113730.3.3.2.31.1	lv
[02/Dec/2016:05:04:16 -0500] - line 77: collation mk "" "" 1 3	2.16.840.1.113730.3.3.2.32.1	mk
[02/Dec/2016:05:04:16 -0500] - line 78: collation nl "" "" 1 3	2.16.840.1.113730.3.3.2.33.1	nl
[02/Dec/2016:05:04:16 -0500] - line 79: collation nl BE "" 1 3	2.16.840.1.113730.3.3.2.34.1	nl-BE
[02/Dec/2016:05:04:16 -0500] - line 80: collation no "" "" 1 3	2.16.840.1.113730.3.3.2.35.1	no
[02/Dec/2016:05:04:16 -0500] - line 81: collation no NO B  1 3	2.16.840.1.113730.3.3.2.36.1	no-NO-B
[02/Dec/2016:05:04:16 -0500] - line 82: collation no NO NY 1 3	2.16.840.1.113730.3.3.2.37.1	no-NO-NY
[02/Dec/2016:05:04:16 -0500] - line 83: collation pl "" "" 1 3	2.16.840.1.113730.3.3.2.38.1	pl
[02/Dec/2016:05:04:16 -0500] - line 84: collation ro "" "" 1 3	2.16.840.1.113730.3.3.2.39.1	ro
[02/Dec/2016:05:04:16 -0500] - line 85: collation ru "" "" 1 3	2.16.840.1.113730.3.3.2.40.1	ru
[02/Dec/2016:05:04:16 -0500] - line 86: collation sh "" "" 1 3	2.16.840.1.113730.3.3.2.41.1	sh
[02/Dec/2016:05:04:16 -0500] - line 87: collation sk "" "" 1 3	2.16.840.1.113730.3.3.2.42.1	sk
[02/Dec/2016:05:04:16 -0500] - line 88: collation sl "" "" 1 3	2.16.840.1.113730.3.3.2.43.1	sl
[02/Dec/2016:05:04:16 -0500] - line 89: collation sq "" "" 1 3	2.16.840.1.113730.3.3.2.44.1	sq
[02/Dec/2016:05:04:16 -0500] - line 90: collation sr "" "" 1 3	2.16.840.1.113730.3.3.2.45.1	sr
[02/Dec/2016:05:04:16 -0500] - line 91: collation sv "" "" 1 3	2.16.840.1.113730.3.3.2.46.1	sv
[02/Dec/2016:05:04:16 -0500] - line 92: collation tr "" "" 1 3	2.16.840.1.113730.3.3.2.47.1	tr
[02/Dec/2016:05:04:16 -0500] - line 93: collation uk "" "" 1 3	2.16.840.1.113730.3.3.2.48.1	uk
[02/Dec/2016:05:04:16 -0500] - line 94: collation zh "" "" 1 3	2.16.840.1.113730.3.3.2.49.1	zh
[02/Dec/2016:05:04:16 -0500] - line 95: collation zh TW "" 1 3	2.16.840.1.113730.3.3.2.50.1	zh-TW
[02/Dec/2016:05:04:16 -0500] - line 97: collation "" "" "" 3 3	2.16.840.1.113730.3.3.2.0.3
[02/Dec/2016:05:04:16 -0500] - line 98: collation en "" "" 3 3	2.16.840.1.113730.3.3.2.11.3
[02/Dec/2016:05:04:16 -0500] SSL Initialization - supported range by NSS: min: SSL3, max: TLS1.2

And configuration parameter is added ::
By default
==========
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
nsTLS1: on

Hence Verified.
Comment 15 errata-xmlrpc 2017-03-21 10:21:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0667.html