Bug 1841086

Summary: SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version
Product: Red Hat Enterprise Linux 8 Reporter: Viktor Ashirov <vashirov>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 8.3CC: ddas, msauton, pasik, spichugi, tbordaz, tmihinto, vashirov
Target Milestone: rcKeywords: ZStream
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-1.4-8030020200805152009.618f7055 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1867988 (view as bug list) Environment:
Last Closed: 2020-11-04 03:07:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1867988    

Description Viktor Ashirov 2020-05-28 10:45:56 UTC
Description of problem:
Can't set TLS1.3 only:
dsconf -D "cn=Directory Manager" -w password server-rhel8 security set --tls-protocol-min="TLS1.3" --tls-protocol-max="TLS1.3"

In the errors log:
[28/May/2020:10:43:53.375684424 +0000] - INFO - Security Initialization - SSL info: Enabling default cipher set.
[28/May/2020:10:43:53.378715126 +0000] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[28/May/2020:10:43:53.381513054 +0000] - INFO - Security Initialization - SSL info: 	TLS_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.384343219 +0000] - INFO - Security Initialization - SSL info: 	TLS_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.387125136 +0000] - INFO - Security Initialization - SSL info: 	TLS_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.390094372 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.393120493 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.396543422 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.399488105 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.402654569 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.405813851 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.409130700 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.412322762 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.415569617 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.418730879 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.421964352 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.425160738 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.428036531 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.431078929 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.434031070 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.437141528 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.440249594 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.443296792 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.446272845 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[28/May/2020:10:43:53.449356442 +0000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.452447715 +0000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.455552021 +0000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.458537249 +0000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.461462988 +0000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.464465267 +0000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[28/May/2020:10:43:53.480867138 +0000] - WARN - Security Initialization - SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version; the default value "TLS1.2" is used.
[28/May/2020:10:43:53.484080805 +0000] - WARN - Security Initialization - SSL alert: The min value of NSS version range "TLS1.3" is greater than the max value "TLS1.2".
[28/May/2020:10:43:53.487373228 +0000] - WARN - Security Initialization - SSL alert: Reset the max "TLS1.2" to supported max "TLS1.2".
[28/May/2020:10:43:53.490254562 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.3, max: TLS1.2
[28/May/2020:10:43:53.493268543 +0000] - ERR - Security Initialization - SSL failure: Security Initialization - slapd_ssl_init2 - Failed to set SSL range: min: TLS1.3, max: TLS1.2 - error -12168 (SSL version range is not valid.)

[28/May/2020:10:43:53.496320862 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2


Version-Release number of selected component (if applicable):
389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766.x86_64
nss-3.44.0-15.el8.x86_64


How reproducible:
always

Steps to Reproduce:
1. dsconf -D "cn=Directory Manager" -w password server-rhel8 security set --tls-protocol-min="TLS1.3" --tls-protocol-max="TLS1.3"
2. restart the server
3. check errors log

Actual results:
[28/May/2020:10:43:53.496320862 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2


Expected results:
NSS adjusted SSL version range: min: TLS1.3, max: TLS1.3

Additional info:
Works as expected on Fedora with 389-ds-base-1.4.3.8-1.fc32.x86_64

Comment 1 mreynolds 2020-07-21 13:27:23 UTC
Upstream ticket:

https://pagure.io/389-ds-base/issue/51129

Comment 2 Marc Sauton 2020-07-23 15:46:43 UTC
adding Z-Stream + flag for customer 8.2.z candidate

Comment 6 Viktor Ashirov 2020-08-07 11:08:25 UTC
Build tested: 389-ds-base-1.4.3.8-5.module+el8.3.0+7569+08175a8a.x86_64

I had to slightly adjust test case dirsrvtests/tests/suites/tls/ssl_version_test.py to test all possible combinations of sslVersinMin and sslVersionMax.
All of these are working:

[07/Aug/2020:11:05:08.255533410 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.0
[07/Aug/2020:11:05:08.261112792 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.0

[07/Aug/2020:11:05:14.282235857 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.1
[07/Aug/2020:11:05:14.288014591 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.1

[07/Aug/2020:11:05:20.322074752 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2
[07/Aug/2020:11:05:20.325178304 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.2

[07/Aug/2020:11:05:26.365983428 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3
[07/Aug/2020:11:05:26.371714079 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.3

[07/Aug/2020:11:05:32.548564845 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.1
[07/Aug/2020:11:05:32.554266775 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.1

[07/Aug/2020:11:05:38.666270124 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.2
[07/Aug/2020:11:05:38.671822638 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.2

[07/Aug/2020:11:05:44.863302949 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.3
[07/Aug/2020:11:05:44.873378127 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.3

[07/Aug/2020:11:05:51.039567033 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.2
[07/Aug/2020:11:05:51.045440560 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2

[07/Aug/2020:11:05:57.145060645 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[07/Aug/2020:11:05:57.148958882 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3

[07/Aug/2020:11:06:03.290095078 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.3, max: TLS1.3
[07/Aug/2020:11:06:03.295841796 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.3, max: TLS1.3


Marking as VERIFIED.

Comment 10 errata-xmlrpc 2020-11-04 03:07:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4695

Comment 11 Simon Pichugin 2021-11-09 02:08:03 UTC
*** Bug 1851819 has been marked as a duplicate of this bug. ***