Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1249092

Summary: Setting olcTLSProtocolMin does not change supported protocols
Product: Red Hat Enterprise Linux 6 Reporter: Martin Poole <mpoole>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED ERRATA QA Contact: Stefan Kremen <skremen>
Severity: medium Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: high    
Version: 6.7CC: apetrova, arajendr, bressers, ebenes, mhonek, mlstarling31, mpoole, nkinder, pkis, pseeley, salmy, sardella
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.40-13.el6 Doc Type: Bug Fix
Doc Text:
OpenLDAP now correctly sets NSS settings Previously, the OpenLDAP server used an incorrect handling of network security settings (NSS) code. As a consequence, settings were not applied, which caused certain NSS options, such as "olcTLSProtocolMin", not to work correctly. This update addresses the bug and as a result, the affected NSS options now work as expected.
 Story Points: ---
Clone Of:
: 1249093 1375432 (view as bug list) Environment:
Last Closed: 2017-03-21 10:18:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1247675, 1249093, 1253743, 1269194, 1310222, 1365846, 1375432    

Description Martin Poole 2015-07-31 13:24:16 UTC 
Description of problem:

Following release of "Bug 1160467 - support TLS 1.1 and later" it should be possible to select the minimum TLS protocol level.

Version-Release number of selected component (if applicable):

openldap-2.4.40-5.el6

How reproducible:

Always

Steps to Reproduce:
1. configure for SSL

dn: cn=config
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.3


2. restart service
3. perform openssl s_client check.



Actual results:

openssl s_client -connect rhel6-64.example.com:636 -tls1
CONNECTED(00000003)
depth=2 O = example.com, CN = clica CA
verify return:1
depth=1 O = example.com, CN = clica Signing Cert
verify return:1
depth=0 CN = rhel6-64.example.com
verify return:1
---
Certificate chain
 0 s:/CN=rhel6-64.example.com
   i:/O=example.com/CN=clica Signing Cert
 1 s:/O=example.com/CN=clica Signing Cert
   i:/O=example.com/CN=clica CA
 2 s:/O=example.com/CN=clica CA
   i:/O=example.com/CN=clica CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJTCCAw2gAwIBAgIEKNMgUDANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtl
eGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTE0MDMw
MzE3NDE0MFoXDTM4MDEwMzE3NDE0MFowHzEdMBsGA1UEAxMUcmhlbDYtNjQuZXhh
bXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCw6bvXq9l7
mHbhQ6v4BrnECLSAIMXXZsHXhdpKnjLwNXMfa4YxWjX5h/B0KXrHpQ02HZNn3uZR
uf9LEX1dANbYR36R9CyffoGtRQYgJ5wAfJryDaxZadpbah48Uh5aTSu2S3Z3naoJ
SULfeYdlLNr6lgvbBQs1y5uxgENSavvFilO/NwMjzyhD3hlq5imwUzdNblrmnrwi
/MfSIN5m706VhW5XN8I887g63bynH4d26sOfnIvEOcZqGNnYw4pVgR/qzPHX3nw+
7I4GGzGUcwYYphOD2ZBoJOexv32vw7ffanpUTHo1pY6JmRufMvdPD2dIze8IdaCG
jExm6Ymu0oOpR6VmKFRr6A7j5M+Ec7psHLvxIEoHF66vyeyU9bzl8sYX17CMKmxb
FyUkCapghc4eKmb75X0oBDuWY08f1CUphRcM5mJmoYIM6oGVlWAye0fQLbBCK2ca
rl1DtS8l5e2dZDI7czU1G3f3RcxPhpPGGxUSuZbgYRvUA+a9sFMU2VG/ycnDywPr
dLIIjCv9JIJrkQzTXHyZwBA6VyZwlC8QF3b2tekPPZaZ6388iTJ8DqYqnIkLzIub
41pdpBjNvNxSwygtzIvnHX+VVOlVq/2HR1Ouoaa6yJZT9DHNYdUPrcIwQv4JxxP+
CqCXg77glAiuVqCjG7eknGCv/vJcPcNwswIDAQABo1UwUzAOBgNVHQ8BAf8EBAMC
BPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdEQQYMBaC
FHJoZWw2LTY0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4ICAQBWZXWG72r/
MwKqpr+WtSkO3Uu1HytZ0vvm3gaiJ+cC9T/89ztRz9uQf/WBJJBCUpj4/bXvgs8e
vydJo+s9NjSyVMvv88ReTEIBELpen1G0M6K2jhoTJiynVdn2XCB35hBJJ0le/WVY
oSamlGbNqsrxadjKVADsVsBLrdWx1LzVBGZXtGnvBITi9w0cLOE+FvvpKgb+YLpI
GxurtuQJj1KhAL6tYHiPd7v83QGVllLBaCmWD/reqCT+narQYMT4W1sgPEeajojl
as2p8KYQoSU5tvmP/sKgx6m4eGM6AVNdf9Vt6Mu6vUvWHwMqQB8hxfRmeX1xeRkC
RbdeXFspOxgURzUgUD6dv15JOSDIO8NU1lmZvIX2CEd8dzzCKxY65YSZd84dAnxO
QdaNmliNm16SbZ+I/z0WkGzEyUBs2rNuN1wFX9sVRXMwPHyZQERko5CkzsvuCXxf
/ej9rYqZAAujQdGw2t3pKTDn02DRrMng2JXD3ezhBP+srcol/mpfPhC5374tsWWd
0/zSie+dOCrya7jpFvJI0gRLdyTWMY6AkKp3nylRwi2cksIRaWgUkNOrTEK5+asK
tTcdkA8pn7cFb1qGOEUhTV8TmUudXemB8OfsYc7lcCpZFvYtWb5JJoefetneMqf8
gEO3OSRIUwjWnJCGehnSkPwd5IbRFWE44w==
-----END CERTIFICATE-----
subject=/CN=rhel6-64.example.com
issuer=/O=example.com/CN=clica Signing Cert
---
No client certificate CA names sent
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 4663 bytes and written 321 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 0A159951963EC6420D80001F50BAE04FD38BFB868AF5EF3C070480DCED883EAB
    Session-ID-ctx:
    Master-Key: E9630471D6A8D5774339F886074C6ED83BDA403D320B0EEFD709492868D03C4FAC558CBB2298872044CA73AAB093F219
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1438348837
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---



Expected results:

Connection should fail.

Additional info:

Despite various attempts I'm not able to add any debugging which actually shows the passing of the protocol setting to the NSS codebase (tls_m.c)
Comment 20 errata-xmlrpc 2017-03-21 10:18:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0664.html