This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/47928 On the new installation, SSL v3 should be disabled by default, and provide the safe cipher suites.
Steps to verify. Enable SSL with default cn=encryption,cn=config. That is no "nsSSL3" nor "nsTLS1". Check the error log and if the SSL version range does not include SSLv3 (e.g., as follows), the fix is verified. SSL Initialization - SSL version range: min: TLS1.1, max: TLS1.2 You can use logconv.pl, as well. https://bugzilla.redhat.com/show_bug.cgi?id=1153737#c7
By default SSLv3 is disabled. However, when I disable TLS1 and enable SSL3, it doesn't throw any error or warning messages. [root@cloud-qe-15 ~]# ldapsearch -LLL -x -p 1389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=encryption,cn=config" dn: cn=encryption,cn=config nsSSL2: off nsSSL3: off nsTLS1: on [root@cloud-qe-15 ~]# ldapmodify -x -p 1389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF > dn: cn=encryption,cn=config > replace: nsSSL3 > nsSSL3: on > EOF modifying entry "cn=encryption,cn=config" [root@cloud-qe-15 ~]# ldapmodify -x -p 1389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=encryption,cn=config replace: nsTLS1 nsTLS1: off EOF modifying entry "cn=encryption,cn=config" [root@cloud-qe-15 ~]# ldapsearch -LLL -x -p 1389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=encryption,cn=config" dn: cn=encryption,cn=config nsSSL2: off nsSSL3: on nsTLS1: off
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1326.html