Bug 1867988

Summary: SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version [rhel-8.2.0.z]
Product: Red Hat Enterprise Linux 8 Reporter: RHEL Program Management Team <pgm-rhel-tools>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 8.3CC: ddas, msauton, pasik, spichugi, tbordaz, tmihinto, vashirov
Target Milestone: rcKeywords: ZStream
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.4.2.4-9.module+el8.2.0+7732+be29fed1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1841086 Environment:
Last Closed: 2020-09-08 09:50:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1841086    
Bug Blocks:    

Comment 4 Viktor Ashirov 2020-08-25 16:52:27 UTC
Build tested: 389-ds-base-1.4.2.4-10.module+el8.2.0+7749+4a513fb2.x86_64

I had to slightly adjust test case dirsrvtests/tests/suites/tls/ssl_version_test.py to test all possible combinations of sslVersinMin and sslVersionMax and set  crypto policy to LEGACY.
 
diff --git a/dirsrvtests/tests/suites/tls/ssl_version_test.py b/dirsrvtests/tests/suites/tls/ssl_version_test.py
index 67da349eb..de18b9ea3 100644
--- a/dirsrvtests/tests/suites/tls/ssl_version_test.py
+++ b/dirsrvtests/tests/suites/tls/ssl_version_test.py
@@ -52,14 +52,20 @@ def test_ssl_version_range(topo):
     assert max == default_min
 
     # Sanity test all the min/max versions
-    for attr, versions in [('sslVersionMin', ['TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.0']),
-                           ('sslVersionMax', ['TLS1.0', 'TLS1.1', 'TLS1.2'])]:
-        for version in versions:
-            # Test that the setting is correctly applied after a restart
-            enc.replace(attr, version)
-            topo.standalone.restart()
-            current_val = enc.get_attr_val_utf8(attr)
-            assert current_val == version
+    TLS = ['TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.3']
+
+    for sslVersionMin in TLS:
+        for sslVersionMax in TLS:
+            if sslVersionMin <= sslVersionMax:
+                # Test that the setting is correctly applied after a restart
+                enc.replace('sslVersionMin', sslVersionMin)
+                enc.replace('sslVersionMax', sslVersionMax)
+                topo.standalone.restart()
+                sslVersionMin_current_val = enc.get_attr_val_utf8('sslVersionMin')
+                sslVersionMax_current_val = enc.get_attr_val_utf8('sslVersionMax')
+                assert sslVersionMin_current_val == sslVersionMin
+                assert sslVersionMax_current_val == sslVersionMax
+
 
 
 if __name__ == '__main__':


All of these are working:

[25/Aug/2020:12:43:38.394465641 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.0
[25/Aug/2020:12:43:38.399957976 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.0

[25/Aug/2020:12:43:43.481093794 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.1
[25/Aug/2020:12:43:43.485010095 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.1

[25/Aug/2020:12:43:48.688490311 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2
[25/Aug/2020:12:43:48.731776701 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.2

[25/Aug/2020:12:43:54.095705858 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3
[25/Aug/2020:12:43:54.099706177 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.3

[25/Aug/2020:12:43:59.473381069 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.1
[25/Aug/2020:12:43:59.477937350 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.1

[25/Aug/2020:12:44:04.585815767 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.2
[25/Aug/2020:12:44:04.590611984 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.2

[25/Aug/2020:12:44:09.667366650 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.3
[25/Aug/2020:12:44:09.674087184 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.3

[25/Aug/2020:12:44:14.762782257 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.2
[25/Aug/2020:12:44:14.766637755 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2

[25/Aug/2020:12:44:19.892565716 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[25/Aug/2020:12:44:19.898077664 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3

[25/Aug/2020:12:44:24.996565517 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.3, max: TLS1.3
[25/Aug/2020:12:44:25.010539031 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.3, max: TLS1.3

Marking as VERIFIED.

Comment 7 errata-xmlrpc 2020-09-08 09:50:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds-base bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3667