+++ This bug was initially created as a clone of Bug #1249092 +++ Steps to Reproduce: 1. configure for SSL dn: cn=config replace: olcTLSProtocolMin olcTLSProtocolMin: 3.3 2. restart service 3. perform openssl s_client check. Actual results: openssl s_client -connect rhel6-64.example.com:636 -tls1 CONNECTED(00000003) depth=2 O = example.com, CN = xyz CA verify return:1 depth=1 O = example.com, CN = xyz Signing Cert verify return:1 depth=0 CN = rhel6-64.example.com verify return:1 --- Certificate chain 0 s:/CN=rhel6-64.example.com i:/O=example.com/CN=xyz Signing Cert 1 s:/O=example.com/CN=xyz Signing Cert i:/O=example.com/CN=xyz CA 2 s:/O=example.com/CN=xyz CA i:/O=example.com/CN=xyz CA --- Server certificate -----BEGIN CERTIFICATE----- ** proper certificate contents ** -----END CERTIFICATE----- subject=/CN=rhel6-64.example.com issuer=/O=example.com/CN=xyz Signing Cert --- No client certificate CA names sent Server Temp Key: ECDH, secp384r1, 384 bits --- SSL handshake has read 4663 bytes and written 321 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: ** proper session id ** Session-ID-ctx: Master-Key: ** proper master key ** Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1438348837 Timeout : 7200 (sec) Verify return code: 0 (ok) --- Expected results: Connection should fail. Additional info: Despite various attempts I'm not able to add any debugging which actually shows the passing of the protocol setting to the NSS codebase (tls_m.c)
http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?h=f25&id=9e30b985ea1b9aa5102dc0fb4ff9ad5d6f93d593
fix the previous commit in SPEC file: http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?id=45704219c4d423b1c4ef4f5ddc2f6004e48cd4f1
openldap-2.4.44-7.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb1b8659e
openldap-2.4.44-7.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb1b8659e
openldap-2.4.44-7.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.