Bug 1160467 – support TLS 1.1 and later

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1160467 - support TLS 1.1 and later

Summary:	support TLS 1.1 and later

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openldap (Show other bugs)
Sub Component:
Version:	6.7
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Jan Synacek
QA Contact:	Patrik Kis
Docs Contact:

URL:
Whiteboard:
Keywords:	TestBlocker

Depends On:	1160466 1164889
Blocks:	1160468
	Show dependency tree / graph

Reported:	2014-11-04 16:42 EST by Rich Megginson
Modified:	2015-07-23 07:19 EDT (History)
CC List:	12 users (show)

See Also:	1231522
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	* Support for the TLS protocol version 1.1 and later has been added. (BZ#1160467)
Story Points:	---
Clone Of:	1160466
Clones:	1160468 (view as bug list)
Environment:
Last Closed:	2015-07-22 02:18:41 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
add tls1.2 ciphers (3.25 KB, patch) 2015-06-10 13:03 EDT, Martin Poole	rmeggins: review+	Details \| Diff
V2 patch with more complete (and correct) cipher names (5.35 KB, patch) 2015-06-12 10:51 EDT, Martin Poole	rmeggins: review+	Details \| Diff
Show Obsolete (2) Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:1292	normal	SHIPPED_LIVE	openldap bug fix and enhancement update	2015-07-20 13:48:41 EDT

Groups: None (edit)

Description Rich Megginson 2014-11-04 16:42:12 EST

+++ This bug was initially created as a clone of Bug #1160466 +++

Description of problem:
I don't believe tls_m.c supports TLS 1.1 and later.  This requires some additional NSS APIs.  You should be able to tell openldap to support TLS protocols > 1.0 with TLS_PROTOCOL_MIN

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

--- Additional comment from Rich Megginson on 2014-11-04 16:41:22 EST ---

This needs to go into all versions of Fedora ASAP.  Should I clone this for all Fedora releases?

Comment 2 Sankar Ramalingam 2014-11-18 02:28:47 EST

This is blocking 389-ds-base to be tested with latest versions of TLS1.1, TLS1.2 and above. Hence, marking this as testBlocker

Comment 17 Martin Poole 2015-06-10 13:03:38 EDT

Created attachment 1037365 [details]
add tls1.2 ciphers

Comment 18 Rich Megginson 2015-06-10 14:07:11 EDT

Comment on attachment 1037365 [details]
add tls1.2 ciphers

https://bugzilla.redhat.com/attachment.cgi?id=1037365&action=diff#openldap-2.4.40/libraries/libldap/tls_m.c.tls12_ciphers_sec4

What about adding an option for SHA384?

Comment 19 Martin Poole 2015-06-11 04:37:12 EDT

I put in the define for SSL_SHA384 since I noticed the recent discussion but I see no definitions for SHA384 hashes on ciphers in the 3.19.1 sources.

Comment 20 Rich Megginson 2015-06-11 10:21:35 EDT

(In reply to Martin Poole from comment #19)
> I put in the define for SSL_SHA384 since I noticed the recent discussion but
> I see no definitions for SHA384 hashes on ciphers in the 3.19.1 sources.

ok.  ack.

Comment 21 Martin Poole 2015-06-12 08:27:32 EDT

I appear to have got at least one name wrong, and am checking whether I managed the full suite of TLSv1.2 ciphers.  Should have new patch shortly.

Comment 22 Martin Poole 2015-06-12 10:51:28 EDT

Created attachment 1038095 [details]
V2 patch with more complete (and correct) cipher names

Comment 24 errata-xmlrpc 2015-07-22 02:18:41 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1292.html

Note You need to log in before you can comment on or make changes to this bug.