Bug 1160467 - support TLS 1.1 and later
Summary: support TLS 1.1 and later
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap
Version: 6.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jan Synacek
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On: 1160466 1164889
Blocks: 1160468
TreeView+ depends on / blocked
 
Reported: 2014-11-04 21:42 UTC by Rich Megginson
Modified: 2015-07-23 11:19 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
* Support for the TLS protocol version 1.1 and later has been added. (BZ#1160467)
Clone Of: 1160466
: 1160468 (view as bug list)
Environment:
Last Closed: 2015-07-22 06:18:41 UTC


Attachments (Terms of Use)
add tls1.2 ciphers (3.25 KB, patch)
2015-06-10 17:03 UTC, Martin Poole
rmeggins: review+
Details | Diff
V2 patch with more complete (and correct) cipher names (5.35 KB, patch)
2015-06-12 14:51 UTC, Martin Poole
rmeggins: review+
Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1292 normal SHIPPED_LIVE openldap bug fix and enhancement update 2015-07-20 17:48:41 UTC
Red Hat Bugzilla 1231522 None None None 2019-05-13 09:53:57 UTC

Internal Links: 1231522

Description Rich Megginson 2014-11-04 21:42:12 UTC
+++ This bug was initially created as a clone of Bug #1160466 +++

Description of problem:
I don't believe tls_m.c supports TLS 1.1 and later.  This requires some additional NSS APIs.  You should be able to tell openldap to support TLS protocols > 1.0 with TLS_PROTOCOL_MIN

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

--- Additional comment from Rich Megginson on 2014-11-04 16:41:22 EST ---

This needs to go into all versions of Fedora ASAP.  Should I clone this for all Fedora releases?

Comment 2 Sankar Ramalingam 2014-11-18 07:28:47 UTC
This is blocking 389-ds-base to be tested with latest versions of TLS1.1, TLS1.2 and above. Hence, marking this as testBlocker

Comment 17 Martin Poole 2015-06-10 17:03:38 UTC
Created attachment 1037365 [details]
add tls1.2 ciphers

Comment 18 Rich Megginson 2015-06-10 18:07:11 UTC
Comment on attachment 1037365 [details]
add tls1.2 ciphers

https://bugzilla.redhat.com/attachment.cgi?id=1037365&action=diff#openldap-2.4.40/libraries/libldap/tls_m.c.tls12_ciphers_sec4

What about adding an option for SHA384?

Comment 19 Martin Poole 2015-06-11 08:37:12 UTC
I put in the define for SSL_SHA384 since I noticed the recent discussion but I see no definitions for SHA384 hashes on ciphers in the 3.19.1 sources.

Comment 20 Rich Megginson 2015-06-11 14:21:35 UTC
(In reply to Martin Poole from comment #19)
> I put in the define for SSL_SHA384 since I noticed the recent discussion but
> I see no definitions for SHA384 hashes on ciphers in the 3.19.1 sources.

ok.  ack.

Comment 21 Martin Poole 2015-06-12 12:27:32 UTC
I appear to have got at least one name wrong, and am checking whether I managed the full suite of TLSv1.2 ciphers.  Should have new patch shortly.

Comment 22 Martin Poole 2015-06-12 14:51:28 UTC
Created attachment 1038095 [details]
V2 patch with more complete (and correct) cipher names

Comment 24 errata-xmlrpc 2015-07-22 06:18:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1292.html


Note You need to log in before you can comment on or make changes to this bug.