Bug 1711172 - Removing TLSv1.0, TLSv1.1 from nss.conf
Summary: Removing TLSv1.0, TLSv1.1 from nss.conf
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
Marc Muehlfeld
Depends On:
Blocks: 1710435
TreeView+ depends on / blocked
Reported: 2019-05-17 07:13 UTC by amitkuma
Modified: 2020-03-31 19:55 UTC (History)
9 users (show)

Fixed In Version: ipa-4.6.6-1.el7
Doc Type: Bug Fix
Doc Text:
.IdM configures the Apache NSS module to use only TLS 1.2 when installing or updating an IdM server or replica Previously, when an administrator installed an Identity Management (IdM) server or replica, the installer enabled the TLS 1.0, TLS 1.1, and TLS 1.2 protocols in the Apache web server's network security service (NSS) module. This update provides the following changes: * When you set up a new server or replica, IdM only enables the strong TLS 1.2 protocol. * On existing IdM servers and replicas, this update disables the weak TLS 1.0 and TLS 1.1 protocols. As a result, new and updated IdM servers and replicas use only the strong TLS 1.2 protocol in the Apache web server's NSS module.
Clone Of:
Last Closed: 2020-03-31 19:55:19 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1083 0 None None None 2020-03-31 19:55:38 UTC

Description amitkuma 2019-05-17 07:13:19 UTC

-> Insights reports the following "Decreased security in httpd when using deprecated TLS protocol version (PCI DSS)"
# grep NSSProtocol /etc/httpd/conf.d/nss.conf 
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

Why we still have the weak protocols still enabled and then have Insights complain about this.

Action Item:
- Use latest NSS version available.

Comment 3 Florence Blanc-Renaud 2019-06-27 12:52:13 UTC
Upstream ticket:

Comment 4 Florence Blanc-Renaud 2019-07-05 09:00:51 UTC
Fixed upstream

Note: the fix applies only to ipa-4-6 branch used for rhel 7.7+

Comment 6 Sergey Orlov 2019-10-08 11:26:38 UTC
Fix verified for build RHEL-7.8-20191004.0

# rpm -q ipa-server

# grep NSSProtocol /etc/httpd/conf.d/nss.conf 
#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
NSSProtocol TLSv1.2

Comment 11 Rob Crittenden 2019-11-01 17:49:58 UTC
Upstream test

Comment 16 errata-xmlrpc 2020-03-31 19:55:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.