Bug 1437989

Summary: OpenLDAP should make use of NSS' default for TLS_PROTOCOL_MIN
Product: [Fedora] Fedora Reporter: Matus Honek <mhonek>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 26CC: mhonek, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-05 14:00:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matus Honek 2017-03-31 15:02:43 UTC 
Description of problem:
Currently, OpenLDAP hardcodes minimal TLS protocol versions enabled by default. Instead, due to security evolving, it should use what cryptographic library considers secure, by default.

Version-Release number of selected component (if applicable):
openldap-2.4.44-9.fc25

How reproducible:
always

Actual results:
OpenLDAP has hardcoded defaults (enables SSLv3 and higher).

Expected results:
OpenLDAP uses results of SSL_VersionRangeGetDefault() to set TLS_PROTOCOL_MIN when this is not configured explicitly.
Comment 1 Matus Honek 2018-01-05 14:00:24 UTC 
This bug affects us no longer as we switched to OpenSSL in Fedora rawhide (bug 1400570). Closing as WONTFIX.