Bug 1905390
| Summary: | Attempting to set sslVersionMin to 1.0 is silently ignored | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sudhir Menon <sumenon> |
| Component: | 389-ds-base | Assignee: | LDAP Maintainers <ldap-maint> |
| Status: | CLOSED NOTABUG | QA Contact: | RHDS QE <ds-qe-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.4 | CC: | fcami, ldap-maint, mreynolds |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-01-19 16:46:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Mark, does this look familiar? Sudhir, what version of python3-lib389 is installed? Rob, The system has python3-lib389-1.4.3.16-3.module+el8.4.0+8869+55706461.noarch installed on it. I know when I run DS healthcheck it does report a warning if sslVersionMin is set to TLS1.0. But the server can adjust this min version if the crypto policy does not support it. Doing an ldapsearch can verify what the server is actually using:
ldapsearch -D "cn=directory manager" -W -b cn=encryption,cn=config objectclass=top sslVersionMin
It appears that 389-ds is silently ignoring updating this value. Even doing an ldapmodify to set sslVersionMin to TLS1.0 returns no error but it retains the value of TLS1.2 with, as far as I can tell, no mention in the error log. So healthcheck is correctly reporting the current status as SUCCESS because the value is indeed TLS1.2. It's the attempts to change the value which are failing. Not a bad thing but some sort of push back would be useful IMHO. Changing title of BZ as well to reflect the current state. (In reply to Rob Crittenden from comment #4) > It appears that 389-ds is silently ignoring updating this value. Even doing > an ldapmodify to set sslVersionMin to TLS1.0 returns no error but it retains > the value of TLS1.2 with, as far as I can tell, no mention in the error log. Well you need to restart the server for it to take effect, but at restart NSS might adjust it again (that is logged in the errors log at startup). Not sure there is a bug here, I'll check it later today... The value is accepted but after DS restart NSS adjusts it based off of the system crypto policy. This can be seen in the errors log: [19/Jan/2022:11:43:41.939342900 -0500] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 [19/Jan/2022:11:43:41.939342900 -0500] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3 Closing as it works as expected |
Description of problem:ipa-healthcheck EncryptionCheck displays result as SUCCESS when sslVersionMin is set 1.0. Version-Release number of selected component (if applicable): ipa-server-4.9.0-0.3.rc2.module+el8.4.0+9015+e4c6695a.x86_64 ipa-healthcheck-0.7-3.module+el8.4.0+9007+5084bdd8.noarch How reproducible: Always Steps to Reproduce: 1. Set the sslVersionMin in dse.ldif to 1.0 from 1.2 using the below command #dsconf slapd-RHEL83-TEST security set --tls-protocol-min=TLS1.0 dn: cn=encryption,cn=config CACertExtractFile: /tmp/slapd-RHEL83-TEST/RHEL83.TEST20IPA20CA.pem allowWeakCipher: off cn: encryption modifiersName: cn=Directory Manager modifyTimestamp: 20201208084506Z nsSSL3Ciphers: default nsSSLClientAuth: allowed nsSSLSessionTimeout: 0 objectClass: top objectClass: nsEncryptionConfig sslVersionMin: TLS1.0 numSubordinates: 1 2. Run ipa-healthcheck command #ipa-healthcheck --source ipahealthcheck.ds.encryption --all Actual results: healthcheck run displays results as SUCCESS [root@master ~]# ipa-healthcheck --source ipahealthcheck.ds.encryption --all [ { "source": "ipahealthcheck.ds.encryption", "check": "EncryptionCheck", "result": "SUCCESS", "uuid": "8c4e33bd-184e-43e6-ab23-1d3b7f02335b", "when": "20201208085904Z", "duration": "0.017437", "kw": {} } ] Expected results: healthcheck tool should return the status as ERROR i.e DSELE0001 "This Directory Server may not be using strong TLS protocol " "versions. TLS1.0 is known to\nhave a number of issues with " "the protocol. " "Please see:\n\nhttps://tools.ietf.org/html/rfc7457\n\n" "It is advised you set this value to the maximum possible." Additional info: