Bug 1312491 - NSSProtocol is ignored when NSSFIPS is enabled.
Summary: NSSProtocol is ignored when NSSFIPS is enabled.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_nss
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Matthew Harmsen
QA Contact: Kaleem
URL:
Whiteboard:
Depends On: 1312052
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-26 21:37 UTC by Matthew Harmsen
Modified: 2016-11-03 21:20 UTC (History)
6 users (show)

Fixed In Version: mod_nss-1.0.14-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1312052
Environment:
Last Closed: 2016-11-03 21:20:20 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2602 normal SHIPPED_LIVE Low: mod_nss security, bug fix, and enhancement update 2016-11-03 12:12:49 UTC

Comment 2 Scott Poore 2016-09-21 01:33:05 UTC
Verified.

Version ::

mod_nss-1.0.14-5.el7.x86_64


Results ::

[root@vm3 conf.d]# grep -e FIPS -e TLSv /etc/httpd/conf.d/nss.conf
#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
#NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSProtocol TLSv1.2
NSSFIPS on

[root@vm3 conf.d]# systemctl restart httpd

[root@vm3 conf.d]# curl --tlsv1.0  https://vm3.example.com:8443/ 
curl: (35) Peer reports incompatible or unsupported protocol version.

[root@vm3 conf.d]# curl --tlsv1.1  https://vm3.example.com:8443/ 
curl: (35) Peer reports incompatible or unsupported protocol version.

[root@vm3 conf.d]# curl --tlsv1.2  https://vm3.example.com:8443/ 
PASS

Comment 4 errata-xmlrpc 2016-11-03 21:20:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2602.html


Note You need to log in before you can comment on or make changes to this bug.