Bug 1375432

Summary: Setting olcTLSProtocolMin does not change supported protocols
Product: [Fedora] Fedora Reporter: Matus Honek <mhonek>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 25CC: gswami, jsynacek, mhonek, mpoole, pkis, rmeggins
Target Milestone: ---Keywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.44-4.fc25 openldap-2.4.44-7.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1249092 Environment:
Last Closed: 2017-02-02 20:22:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1249092    
Bug Blocks:    

Description Matus Honek 2016-09-13 06:15:53 UTC 
+++ This bug was initially created as a clone of Bug #1249092 +++

Steps to Reproduce:
1. configure for SSL

dn: cn=config
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.3


2. restart service
3. perform openssl s_client check.



Actual results:

openssl s_client -connect rhel6-64.example.com:636 -tls1
CONNECTED(00000003)
depth=2 O = example.com, CN = xyz CA
verify return:1
depth=1 O = example.com, CN = xyz Signing Cert
verify return:1
depth=0 CN = rhel6-64.example.com
verify return:1
---
Certificate chain
 0 s:/CN=rhel6-64.example.com
   i:/O=example.com/CN=xyz Signing Cert
 1 s:/O=example.com/CN=xyz Signing Cert
   i:/O=example.com/CN=xyz CA
 2 s:/O=example.com/CN=xyz CA
   i:/O=example.com/CN=xyz CA
---
Server certificate
-----BEGIN CERTIFICATE-----
** proper certificate contents **
-----END CERTIFICATE-----
subject=/CN=rhel6-64.example.com
issuer=/O=example.com/CN=xyz Signing Cert
---
No client certificate CA names sent
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 4663 bytes and written 321 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: ** proper session id **
    Session-ID-ctx:
    Master-Key: ** proper master key **
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1438348837
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---



Expected results:

Connection should fail.

Additional info:

Despite various attempts I'm not able to add any debugging which actually shows the passing of the protocol setting to the NSS codebase (tls_m.c)
Comment 1 Matus Honek 2017-01-20 15:08:17 UTC 
http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?h=f25&id=9e30b985ea1b9aa5102dc0fb4ff9ad5d6f93d593
Comment 2 Matus Honek 2017-01-23 13:30:45 UTC 
fix the previous commit in SPEC file:
http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?id=45704219c4d423b1c4ef4f5ddc2f6004e48cd4f1
Comment 3 Fedora Update System 2017-02-01 14:51:51 UTC 
openldap-2.4.44-7.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb1b8659e
Comment 4 Fedora Update System 2017-02-01 23:52:02 UTC 
openldap-2.4.44-7.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb1b8659e
Comment 5 Fedora Update System 2017-02-02 20:22:05 UTC 
openldap-2.4.44-7.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.