1437989 – OpenLDAP should make use of NSS' default for TLS_PROTOCOL_MIN

Bug 1437989 - OpenLDAP should make use of NSS' default for TLS_PROTOCOL_MIN

Summary: OpenLDAP should make use of NSS' default for TLS_PROTOCOL_MIN

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openldap
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Matus Honek
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-31 15:02 UTC by Matus Honek
Modified:	2018-01-05 14:00 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2018-01-05 14:00:24 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matus Honek 2017-03-31 15:02:43 UTC

Description of problem:
Currently, OpenLDAP hardcodes minimal TLS protocol versions enabled by default. Instead, due to security evolving, it should use what cryptographic library considers secure, by default.

Version-Release number of selected component (if applicable):
openldap-2.4.44-9.fc25

How reproducible:
always

Actual results:
OpenLDAP has hardcoded defaults (enables SSLv3 and higher).

Expected results:
OpenLDAP uses results of SSL_VersionRangeGetDefault() to set TLS_PROTOCOL_MIN when this is not configured explicitly.

Comment 1 Matus Honek 2018-01-05 14:00:24 UTC

This bug affects us no longer as we switched to OpenSSL in Fedora rawhide (bug 1400570). Closing as WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.