Bug 1711172 - Removing TLSv1.0, TLSv1.1 from nss.conf
Summary: Removing TLSv1.0, TLSv1.1 from nss.conf
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1710435
TreeView+ depends on / blocked
 
Reported: 2019-05-17 07:13 UTC by amitkuma
Modified: 2020-03-31 19:55 UTC (History)
9 users (show)

Fixed In Version: ipa-4.6.6-1.el7
Doc Type: Bug Fix
Doc Text:
.IdM configures the Apache NSS module to use only TLS 1.2 when installing or updating an IdM server or replica Previously, when an administrator installed an Identity Management (IdM) server or replica, the installer enabled the TLS 1.0, TLS 1.1, and TLS 1.2 protocols in the Apache web server's network security service (NSS) module. This update provides the following changes: * When you set up a new server or replica, IdM only enables the strong TLS 1.2 protocol. * On existing IdM servers and replicas, this update disables the weak TLS 1.0 and TLS 1.1 protocols. As a result, new and updated IdM servers and replicas use only the strong TLS 1.2 protocol in the Apache web server's NSS module.
Clone Of:
Environment:
Last Closed: 2020-03-31 19:55:19 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1083 None None None 2020-03-31 19:55:38 UTC

Description amitkuma 2019-05-17 07:13:19 UTC
Problem:

-> Insights reports the following "Decreased security in httpd when using deprecated TLS protocol version (PCI DSS)"
# grep NSSProtocol /etc/httpd/conf.d/nss.conf 
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2


Question?
Why we still have the weak protocols still enabled and then have Insights complain about this.


Action Item:
- Use latest NSS version available.

Comment 3 Florence Blanc-Renaud 2019-06-27 12:52:13 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7995

Comment 4 Florence Blanc-Renaud 2019-07-05 09:00:51 UTC
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/3d6a2a215ed61255f3275efb67d5e04c474a664b
https://pagure.io/freeipa/c/a5b6f72d4f2a8287c7f095874d71ef536822d20b

Note: the fix applies only to ipa-4-6 branch used for rhel 7.7+

Comment 6 Sergey Orlov 2019-10-08 11:26:38 UTC
Fix verified for build RHEL-7.8-20191004.0

# rpm -q ipa-server
ipa-server-4.6.6-8.el7.x86_6

# grep NSSProtocol /etc/httpd/conf.d/nss.conf 
#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
NSSProtocol TLSv1.2

Comment 11 Rob Crittenden 2019-11-01 17:49:58 UTC
Upstream test
master:
https://pagure.io/freeipa/c/14be2715334e16a2d3f07a6b64bcd6d068ce89c1

Comment 16 errata-xmlrpc 2020-03-31 19:55:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1083


Note You need to log in before you can comment on or make changes to this bug.