Bug 1711172

Summary: Removing TLSv1.0, TLSv1.1 from nss.conf
Product: Red Hat Enterprise Linux 7 Reporter: amitkuma
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.6CC: afarley, frenaud, mjahoda, ndehadra, pasik, pvoborni, rcritten, sorlov, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: ipa-4.6.6-1.el7 Doc Type: Bug Fix
Doc Text:
.IdM configures the Apache NSS module to use only TLS 1.2 when installing or updating an IdM server or replica Previously, when an administrator installed an Identity Management (IdM) server or replica, the installer enabled the TLS 1.0, TLS 1.1, and TLS 1.2 protocols in the Apache web server's network security service (NSS) module. This update provides the following changes: * When you set up a new server or replica, IdM only enables the strong TLS 1.2 protocol. * On existing IdM servers and replicas, this update disables the weak TLS 1.0 and TLS 1.1 protocols. As a result, new and updated IdM servers and replicas use only the strong TLS 1.2 protocol in the Apache web server's NSS module.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 19:55:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: Red Hat1710435    

Description amitkuma 2019-05-17 07:13:19 UTC

-> Insights reports the following "Decreased security in httpd when using deprecated TLS protocol version (PCI DSS)"
# grep NSSProtocol /etc/httpd/conf.d/nss.conf 
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

Why we still have the weak protocols still enabled and then have Insights complain about this.

Action Item:
- Use latest NSS version available.

Comment 3 Florence Blanc-Renaud 2019-06-27 12:52:13 UTC
Upstream ticket:

Comment 4 Florence Blanc-Renaud 2019-07-05 09:00:51 UTC
Fixed upstream

Note: the fix applies only to ipa-4-6 branch used for rhel 7.7+

Comment 6 Sergey Orlov 2019-10-08 11:26:38 UTC
Fix verified for build RHEL-7.8-20191004.0

# rpm -q ipa-server

# grep NSSProtocol /etc/httpd/conf.d/nss.conf 
#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
NSSProtocol TLSv1.2

Comment 11 Rob Crittenden 2019-11-01 17:49:58 UTC
Upstream test

Comment 16 errata-xmlrpc 2020-03-31 19:55:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.