Bug 1375432 - Setting olcTLSProtocolMin does not change supported protocols
Summary: Setting olcTLSProtocolMin does not change supported protocols
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: 25
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Matus Honek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1249092
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-13 06:15 UTC by Matus Honek
Modified: 2017-02-02 20:22 UTC (History)
6 users (show)

Fixed In Version: openldap-2.4.44-4.fc25 openldap-2.4.44-7.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1249092
Environment:
Last Closed: 2017-02-02 20:22:05 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Matus Honek 2016-09-13 06:15:53 UTC
+++ This bug was initially created as a clone of Bug #1249092 +++

Steps to Reproduce:
1. configure for SSL

dn: cn=config
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.3


2. restart service
3. perform openssl s_client check.



Actual results:

openssl s_client -connect rhel6-64.example.com:636 -tls1
CONNECTED(00000003)
depth=2 O = example.com, CN = xyz CA
verify return:1
depth=1 O = example.com, CN = xyz Signing Cert
verify return:1
depth=0 CN = rhel6-64.example.com
verify return:1
---
Certificate chain
 0 s:/CN=rhel6-64.example.com
   i:/O=example.com/CN=xyz Signing Cert
 1 s:/O=example.com/CN=xyz Signing Cert
   i:/O=example.com/CN=xyz CA
 2 s:/O=example.com/CN=xyz CA
   i:/O=example.com/CN=xyz CA
---
Server certificate
-----BEGIN CERTIFICATE-----
** proper certificate contents **
-----END CERTIFICATE-----
subject=/CN=rhel6-64.example.com
issuer=/O=example.com/CN=xyz Signing Cert
---
No client certificate CA names sent
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 4663 bytes and written 321 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: ** proper session id **
    Session-ID-ctx:
    Master-Key: ** proper master key **
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1438348837
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---



Expected results:

Connection should fail.

Additional info:

Despite various attempts I'm not able to add any debugging which actually shows the passing of the protocol setting to the NSS codebase (tls_m.c)

Comment 2 Matus Honek 2017-01-23 13:30:45 UTC
fix the previous commit in SPEC file:
http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?id=45704219c4d423b1c4ef4f5ddc2f6004e48cd4f1

Comment 3 Fedora Update System 2017-02-01 14:51:51 UTC
openldap-2.4.44-7.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb1b8659e

Comment 4 Fedora Update System 2017-02-01 23:52:02 UTC
openldap-2.4.44-7.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb1b8659e

Comment 5 Fedora Update System 2017-02-02 20:22:05 UTC
openldap-2.4.44-7.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.