Bug 1255403 - [RFE] - Error message have duplicate alerts when you try to set sslVersionMin = "ssl2"
[RFE] - Error message have duplicate alerts when you try to set sslVersionMin...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-20 09:39 EDT by Amita Sharma
Modified: 2015-12-18 15:44 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-18 15:44:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Amita Sharma 2015-08-20 09:39:03 EDT
Description of problem:
 Error message have duplicate alters when you try to set sslVersionMin = "ssl2"

Version-Release number of selected component (if applicable):
[root@dhcp201-167 /]# rpm -qa | grep 389
389-ds-base-libs-1.3.4.0-13.el7.x86_64
389-ds-base-1.3.4.0-13.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
=====================
1. set values ::
nsTLS1: on
nsSSL2: off
nsSSL3: off
AND
> > sslVersionMin: TLS1.0
> > sslVersionMax: TLS1.2

2. Now try modify sslVersionMin to "ssl2"

Actual results:
=================
Error Logs ::
[20/Aug/2015:15:22:01 +051800] - SSL alert: Security Initialization: The value of sslVersionMin "ssl2" is lower than the supported version; the default value "SSL3" is used.
[20/Aug/2015:15:22:01 +051800] - SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2.
[20/Aug/2015:15:22:01 +051800] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
[20/Aug/2015:15:22:01 +051800] - 389-Directory/1.3.4.0 B2015.231.1727 starting up
[20/Aug

Expected results:
==================
First alert is misleading in error logs which says -- SSL alert: Security Initialization: The value of sslVersionMin "ssl2" is lower than the supported version; the default value "SSL3" is used.

While actual setting Server does is -- SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2.

So server should not log the first alert at all.
Second alert is accurate and enough.

Additional info:
Check https://bugzilla.redhat.com/show_bug.cgi?id=1044191#c9 for more details regarding original fix.
FOR QA - there is a test case trac605 in ssl.sh for this bug.
Comment 4 Noriko Hosoi 2015-09-23 20:51:51 EDT
Upstream ticket:
https://fedorahosted.org/389/ticket/48291
Comment 6 Noriko Hosoi 2015-12-18 15:44:31 EST
Please see this comment:
https://fedorahosted.org/389/ticket/48291#comment:1

Note You need to log in before you can comment on or make changes to this bug.