1330758 – add a nsTLS1.0 on or off new configuration parameter to cn=encryption,cn=config in RHEL 6 389-ds-base

Bug 1330758 - add a nsTLS1.0 on or off new configuration parameter to cn=encryption,cn=config in RHEL 6 389-ds-base

Summary: add a nsTLS1.0 on or off new configuration parameter to cn=encryption,cn=conf...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	6.7
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Noriko Hosoi
QA Contact:	Viktor Ashirov
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:	1269194 1365846 1367026 1403694
TreeView+	depends on / blocked

Reported:	2016-04-26 21:32 UTC by Marc Sauton
Modified:	2020-09-13 21:43 UTC (History)
CC List:	4 users (show)
Fixed In Version:	389-ds-base-1.2.11.15-83.el6
Doc Type:	Enhancement
Doc Text:	Directory Server now supports enabling and disabling specific TLS versions Previously, Directory Server running on Red Hat Enterprise Linux 6 provided no configuration options to enable or disable specific TLS versions. For example, it was not possible to disable the insecure TLS 1.0 protocol while keeping later versions enabled. This updates adds the "nsTLS10", "nsTLS11", and "nsTLS12" parameters to the "cn=encryption,cn=config" entry. As a result, it is now possible to configure specific TLS protocol versions in Directory Server. Note, that these parameters have a higher priority than the "nsTLS1" parameter, that enables or disables all TLS protocol versions.
Clone Of:
Environment:
Last Closed:	2017-03-21 10:21:10 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 1876	0	None	None	None	2020-09-13 21:43:48 UTC
Red Hat Product Errata	RHBA-2017:0667	0	normal	SHIPPED_LIVE	389-ds-base bug fix update	2017-03-21 12:35:05 UTC

Description Marc Sauton 2016-04-26 21:32:59 UTC

Description of problem:

389-ds-base got added support of TLS1.1 starting in 389-ds-base-1.2.11.15-55.el6 but there is no way to select the minimum TLS version on the server side like in RHEL 7, which is TLS1.0 by default on RHEL 6.

this is a customer request to add support of sslversionmin and sslversionmax in RHEL 6 389-ds-base, the goal is to disable TLS1.0


Version-Release number of selected component (if applicable):
389-ds-base-1.2.11.15-72.el6_7.x86_64


How reproducible:
always, default SSL/TLS configuration


Steps to Reproduce:

1. RHDS install with SSL/TLS config, and in dse.ldif:
dn: cn=encryption,cn=config
nsSSL2: off
nsSSL3: off
nsTLS1: on

2. trying to mimic a "legacy" LDAP client that cannot do TLS1.1 nor TLS1.2
echo "exit" |  openssl s_client -no_tls1_1 -no_tls1_2 -connect 10.14.5.15:636 | grep Protocol


Actual results:
the LDAP server accepts TLS 1.0:

depth=1 CN = CAcert
DONE
    Protocol  : TLSv1


Expected results:

need support for
dn: cn=encryption,cn=config
sslversionmin: TLS1.1
sslversionmax: TLS1.2


Additional info:

related bz
for rhel6 - 1118285 - [RFE] support TLSv1.1 and TLSv1.2, if supported by NSS
for rhel7 - 1044191 - [RFE] support TLSv1.1 and TLSv1.2, if supported by NSS

Comment 6 Noriko Hosoi 2016-05-03 20:53:20 UTC

Upstream ticket:
https://fedorahosted.org/389/ticket/48816

Comment 11 Amita Sharma 2016-12-02 10:07:44 UTC

[0 root@qeos-254 tests]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.9 Beta (Santiago)

[0 root@qeos-254 tests]# rpm -qa | grep 389
389-ds-base-libs-1.2.11.15-85.el6.x86_64
389-ds-base-1.2.11.15-85.el6.x86_64

[0 root@qeos-254 tests]# start-dirsrv 
Starting instance "master_1"
[02/Dec/2016:05:04:16 -0500] - reading config file /etc/dirsrv/slapd-master_1/slapd-collations.conf
[02/Dec/2016:05:04:16 -0500] - line 45: collation "" "" "" 1 3	2.16.840.1.113730.3.3.2.0.1	default
[02/Dec/2016:05:04:16 -0500] - line 46: collation ar "" "" 1 3	2.16.840.1.113730.3.3.2.1.1	ar
[02/Dec/2016:05:04:16 -0500] - line 47: collation be "" "" 1 3	2.16.840.1.113730.3.3.2.2.1	be
[02/Dec/2016:05:04:16 -0500] - line 48: collation bg "" "" 1 3	2.16.840.1.113730.3.3.2.3.1	bg
[02/Dec/2016:05:04:16 -0500] - line 49: collation ca "" "" 1 3	2.16.840.1.113730.3.3.2.4.1	ca
[02/Dec/2016:05:04:16 -0500] - line 50: collation cs "" "" 1 3	2.16.840.1.113730.3.3.2.5.1	cs
[02/Dec/2016:05:04:16 -0500] - line 51: collation da "" "" 1 3	2.16.840.1.113730.3.3.2.6.1	da
[02/Dec/2016:05:04:16 -0500] - line 52: collation de "" "" 1 3	2.16.840.1.113730.3.3.2.7.1	de
[02/Dec/2016:05:04:16 -0500] - line 53: collation de AT "" 1 3	2.16.840.1.113730.3.3.2.8.1	de-AT
[02/Dec/2016:05:04:16 -0500] - line 54: collation de CH "" 1 3	2.16.840.1.113730.3.3.2.9.1	de-CH
[02/Dec/2016:05:04:16 -0500] - line 55: collation el "" "" 1 3	2.16.840.1.113730.3.3.2.10.1	el
[02/Dec/2016:05:04:16 -0500] - line 56: collation en "" "" 1 3	2.16.840.1.113730.3.3.2.11.1	en	en-US
[02/Dec/2016:05:04:16 -0500] - line 57: collation en CA "" 1 3	2.16.840.1.113730.3.3.2.12.1	en-CA
[02/Dec/2016:05:04:16 -0500] - line 58: collation en GB "" 1 3	2.16.840.1.113730.3.3.2.13.1	en-GB
[02/Dec/2016:05:04:16 -0500] - line 59: collation en IE "" 1 3	2.16.840.1.113730.3.3.2.14.1	en-IE
[02/Dec/2016:05:04:16 -0500] - line 60: collation es "" "" 1 3	2.16.840.1.113730.3.3.2.15.1	es	es-ES
[02/Dec/2016:05:04:16 -0500] - line 61: collation et "" "" 1 3	2.16.840.1.113730.3.3.2.16.1	et
[02/Dec/2016:05:04:16 -0500] - line 62: collation fi "" "" 1 3	2.16.840.1.113730.3.3.2.17.1	fi
[02/Dec/2016:05:04:16 -0500] - line 63: collation fr "" "" 1 3	2.16.840.1.113730.3.3.2.18.1	fr	fr-FR
[02/Dec/2016:05:04:16 -0500] - line 64: collation fr BE "" 1 3	2.16.840.1.113730.3.3.2.19.1	fr-BE
[02/Dec/2016:05:04:16 -0500] - line 65: collation fr CA "" 1 3	2.16.840.1.113730.3.3.2.20.1	fr-CA
[02/Dec/2016:05:04:16 -0500] - line 66: collation fr CH "" 1 3	2.16.840.1.113730.3.3.2.21.1	fr-CH
[02/Dec/2016:05:04:16 -0500] - line 67: collation hr "" "" 1 3	2.16.840.1.113730.3.3.2.22.1	hr
[02/Dec/2016:05:04:16 -0500] - line 68: collation hu "" "" 1 3	2.16.840.1.113730.3.3.2.23.1	hu
[02/Dec/2016:05:04:16 -0500] - line 69: collation is "" "" 1 3	2.16.840.1.113730.3.3.2.24.1	is
[02/Dec/2016:05:04:16 -0500] - line 70: collation it "" "" 1 3	2.16.840.1.113730.3.3.2.25.1	it
[02/Dec/2016:05:04:16 -0500] - line 71: collation it CH "" 1 3	2.16.840.1.113730.3.3.2.26.1	it-CH
[02/Dec/2016:05:04:16 -0500] - line 72: collation iw "" "" 1 3	2.16.840.1.113730.3.3.2.27.1	iw
[02/Dec/2016:05:04:16 -0500] - line 73: collation ja "" "" 1 3	2.16.840.1.113730.3.3.2.28.1	ja
[02/Dec/2016:05:04:16 -0500] - line 74: collation ko "" "" 1 3	2.16.840.1.113730.3.3.2.29.1	ko
[02/Dec/2016:05:04:16 -0500] - line 75: collation lt "" "" 1 3	2.16.840.1.113730.3.3.2.30.1	lt
[02/Dec/2016:05:04:16 -0500] - line 76: collation lv "" "" 1 3	2.16.840.1.113730.3.3.2.31.1	lv
[02/Dec/2016:05:04:16 -0500] - line 77: collation mk "" "" 1 3	2.16.840.1.113730.3.3.2.32.1	mk
[02/Dec/2016:05:04:16 -0500] - line 78: collation nl "" "" 1 3	2.16.840.1.113730.3.3.2.33.1	nl
[02/Dec/2016:05:04:16 -0500] - line 79: collation nl BE "" 1 3	2.16.840.1.113730.3.3.2.34.1	nl-BE
[02/Dec/2016:05:04:16 -0500] - line 80: collation no "" "" 1 3	2.16.840.1.113730.3.3.2.35.1	no
[02/Dec/2016:05:04:16 -0500] - line 81: collation no NO B  1 3	2.16.840.1.113730.3.3.2.36.1	no-NO-B
[02/Dec/2016:05:04:16 -0500] - line 82: collation no NO NY 1 3	2.16.840.1.113730.3.3.2.37.1	no-NO-NY
[02/Dec/2016:05:04:16 -0500] - line 83: collation pl "" "" 1 3	2.16.840.1.113730.3.3.2.38.1	pl
[02/Dec/2016:05:04:16 -0500] - line 84: collation ro "" "" 1 3	2.16.840.1.113730.3.3.2.39.1	ro
[02/Dec/2016:05:04:16 -0500] - line 85: collation ru "" "" 1 3	2.16.840.1.113730.3.3.2.40.1	ru
[02/Dec/2016:05:04:16 -0500] - line 86: collation sh "" "" 1 3	2.16.840.1.113730.3.3.2.41.1	sh
[02/Dec/2016:05:04:16 -0500] - line 87: collation sk "" "" 1 3	2.16.840.1.113730.3.3.2.42.1	sk
[02/Dec/2016:05:04:16 -0500] - line 88: collation sl "" "" 1 3	2.16.840.1.113730.3.3.2.43.1	sl
[02/Dec/2016:05:04:16 -0500] - line 89: collation sq "" "" 1 3	2.16.840.1.113730.3.3.2.44.1	sq
[02/Dec/2016:05:04:16 -0500] - line 90: collation sr "" "" 1 3	2.16.840.1.113730.3.3.2.45.1	sr
[02/Dec/2016:05:04:16 -0500] - line 91: collation sv "" "" 1 3	2.16.840.1.113730.3.3.2.46.1	sv
[02/Dec/2016:05:04:16 -0500] - line 92: collation tr "" "" 1 3	2.16.840.1.113730.3.3.2.47.1	tr
[02/Dec/2016:05:04:16 -0500] - line 93: collation uk "" "" 1 3	2.16.840.1.113730.3.3.2.48.1	uk
[02/Dec/2016:05:04:16 -0500] - line 94: collation zh "" "" 1 3	2.16.840.1.113730.3.3.2.49.1	zh
[02/Dec/2016:05:04:16 -0500] - line 95: collation zh TW "" 1 3	2.16.840.1.113730.3.3.2.50.1	zh-TW
[02/Dec/2016:05:04:16 -0500] - line 97: collation "" "" "" 3 3	2.16.840.1.113730.3.3.2.0.3
[02/Dec/2016:05:04:16 -0500] - line 98: collation en "" "" 3 3	2.16.840.1.113730.3.3.2.11.3
[02/Dec/2016:05:04:16 -0500] SSL Initialization - supported range by NSS: min: SSL3, max: TLS1.2

And configuration parameter is added ::
By default
==========
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
nsTLS1: on

Hence Verified.

Comment 15 errata-xmlrpc 2017-03-21 10:21:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0667.html

Note You need to log in before you can comment on or make changes to this bug.