1711172 – Removing TLSv1.0, TLSv1.1 from nss.conf

Bug 1711172 - Removing TLSv1.0, TLSv1.1 from nss.conf

Summary: Removing TLSv1.0, TLSv1.1 from nss.conf

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:	1710435
TreeView+	depends on / blocked

Reported:	2019-05-17 07:13 UTC by amitkuma
Modified:	2020-03-31 19:55 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ipa-4.6.6-1.el7
Doc Type:	Bug Fix
Doc Text:	.IdM configures the Apache NSS module to use only TLS 1.2 when installing or updating an IdM server or replica Previously, when an administrator installed an Identity Management (IdM) server or replica, the installer enabled the TLS 1.0, TLS 1.1, and TLS 1.2 protocols in the Apache web server's network security service (NSS) module. This update provides the following changes: * When you set up a new server or replica, IdM only enables the strong TLS 1.2 protocol. * On existing IdM servers and replicas, this update disables the weak TLS 1.0 and TLS 1.1 protocols. As a result, new and updated IdM servers and replicas use only the strong TLS 1.2 protocol in the Apache web server's NSS module.
Clone Of:
Environment:
Last Closed:	2020-03-31 19:55:19 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:1083	0	None	None	None	2020-03-31 19:55:38 UTC

Description amitkuma 2019-05-17 07:13:19 UTC

Problem:

-> Insights reports the following "Decreased security in httpd when using deprecated TLS protocol version (PCI DSS)"
# grep NSSProtocol /etc/httpd/conf.d/nss.conf 
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2


Question?
Why we still have the weak protocols still enabled and then have Insights complain about this.


Action Item:
- Use latest NSS version available.

Comment 3 Florence Blanc-Renaud 2019-06-27 12:52:13 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7995

Comment 4 Florence Blanc-Renaud 2019-07-05 09:00:51 UTC

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/3d6a2a215ed61255f3275efb67d5e04c474a664b
https://pagure.io/freeipa/c/a5b6f72d4f2a8287c7f095874d71ef536822d20b

Note: the fix applies only to ipa-4-6 branch used for rhel 7.7+

Comment 6 Sergey Orlov 2019-10-08 11:26:38 UTC

Fix verified for build RHEL-7.8-20191004.0

# rpm -q ipa-server
ipa-server-4.6.6-8.el7.x86_6

# grep NSSProtocol /etc/httpd/conf.d/nss.conf 
#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
NSSProtocol TLSv1.2

Comment 11 Rob Crittenden 2019-11-01 17:49:58 UTC

Upstream test
master:
https://pagure.io/freeipa/c/14be2715334e16a2d3f07a6b64bcd6d068ce89c1

Comment 12 Rob Crittenden 2019-11-05 16:32:08 UTC

ipa-4-8:
https://pagure.io/freeipa/c/686b85b14b14134c32c737c6df2de610153f4323

Comment 13 Sergey Orlov 2019-11-06 08:45:40 UTC

Test automated at https://github.com/freeipa/freeipa/blob/master/ipatests/test_integration/test_commands.py::TestIPACommand::test_enabled_tls_protocols

Comment 16 errata-xmlrpc 2020-03-31 19:55:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1083

Note You need to log in before you can comment on or make changes to this bug.