+++ This bug was initially created as a clone of Bug #1160467 +++
+++ This bug was initially created as a clone of Bug #1160466 +++
Description of problem:
I don't believe tls_m.c supports TLS 1.1 and later. This requires some additional NSS APIs. You should be able to tell openldap to support TLS protocols > 1.0 with TLS_PROTOCOL_MIN
Version-Release number of selected component (if applicable):
Steps to Reproduce:
--- Additional comment from Rich Megginson on 2014-11-04 16:41:22 EST ---
This needs to go into all versions of Fedora ASAP. Should I clone this for all Fedora releases?
Created attachment 956859 [details]
patch that was submitted to openldap
Patch has been submitted to openldap (ITS#7979)
This is blocking 389-ds-base to be tested with latest versions of TLS1.1, TLS1.2 and above. Hence, marking this as testBlocker
This change has already been implemented in Fedora 21 and resulted in another (unrelated) bug: see bugzilla 1172638 for my bug report against Fedora 21.
It seems when the openldap server has olcTLSVerifyClient set to 'allow' this patch breaks TLS 1.1+ connections to that server.
I've also filed OpenLDAP ITS 8002 in the upstream bug tracker for this.
Hopefully this issue can be fixed before RHEL 7.1 (or 6.7) is released.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.