Bug 1435692

Summary: Enhance OpenLDAP to support TLSv1.3 protocol with NSS
Product: [Fedora] Fedora Reporter: Matus Honek <mhonek>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 26CC: extras-qa, hkario, mhonek, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.44-10.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1435689 Environment:
Last Closed: 2017-04-06 13:43:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1435689    
Bug Blocks: 1415140    

Description Matus Honek 2017-03-24 14:30:14 UTC 
+++ This bug was initially created as a clone of Bug #1435689 +++

Description of problem:
OpenLDAP cannot make use of the new TLSv1.3 protocol implemented in NSS.

Version-Release number of selected component (if applicable):
openldap-2.4.44-7.fc25.x86_64

How reproducible:
always

Steps to Reproduce:
1. Set TLS_PROTOCOL_MIN, or its equivalent, to 3.4.
2. Try to establish secure connection using ldap* tools and/or to a slapd server.

Actual results:
TLS protocol error, no ciphers to be negotiated, establishing TLS layer fails while dropping the connection.

Expected results:
TLSv1.3 ciphers are proposed, TLS layer is successfully established.
Comment 1 Matus Honek 2017-03-30 14:32:14 UTC 
http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?h=f26&id=8ba6f5c9b7ecdd2dbc3751516ea0471c4a8fc7e3
Comment 2 Fedora Update System 2017-03-31 11:37:02 UTC 
openldap-2.4.44-9.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-73ef9020a4
Comment 3 Matus Honek 2017-04-03 11:32:40 UTC 
For the following commit's description see bug 1435689 comment 4:
http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?id=af30ccf247c0814d1902d2f3ebd87b4f8f806efc

There's a related bug 1437989 that aims to introduce an analogous behaviour for the minimal TLS protocol version configuration option.
Comment 4 Fedora Update System 2017-04-03 11:36:16 UTC 
openldap-2.4.44-10.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-73ef9020a4
Comment 5 Fedora Update System 2017-04-04 01:52:29 UTC 
openldap-2.4.44-10.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-73ef9020a4
Comment 6 Fedora Update System 2017-04-06 13:43:37 UTC 
openldap-2.4.44-10.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.