Bug 1841086 - SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version
Summary: SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported v...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 8.0
Assignee: mreynolds
QA Contact: RHDS QE
Marc Muehlfeld
URL:
Whiteboard:
: 1851819 (view as bug list)
Depends On:
Blocks: 1867988
TreeView+ depends on / blocked
 
Reported: 2020-05-28 10:45 UTC by Viktor Ashirov
Modified: 2021-11-09 02:08 UTC (History)
7 users (show)

Fixed In Version: 389-ds-1.4-8030020200805152009.618f7055
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1867988 (view as bug list)
Environment:
Last Closed: 2020-11-04 03:07:52 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 4182 0 None closed SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version 2021-01-26 13:57:06 UTC
Red Hat Product Errata RHEA-2020:4695 0 None None None 2020-11-04 03:08:12 UTC

Description Viktor Ashirov 2020-05-28 10:45:56 UTC
Description of problem:
Can't set TLS1.3 only:
dsconf -D "cn=Directory Manager" -w password server-rhel8 security set --tls-protocol-min="TLS1.3" --tls-protocol-max="TLS1.3"

In the errors log:
[28/May/2020:10:43:53.375684424 +0000] - INFO - Security Initialization - SSL info: Enabling default cipher set.
[28/May/2020:10:43:53.378715126 +0000] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[28/May/2020:10:43:53.381513054 +0000] - INFO - Security Initialization - SSL info: 	TLS_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.384343219 +0000] - INFO - Security Initialization - SSL info: 	TLS_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.387125136 +0000] - INFO - Security Initialization - SSL info: 	TLS_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.390094372 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.393120493 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.396543422 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.399488105 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.402654569 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.405813851 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.409130700 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.412322762 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.415569617 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.418730879 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.421964352 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.425160738 +0000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.428036531 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.431078929 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[28/May/2020:10:43:53.434031070 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.437141528 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.440249594 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.443296792 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.446272845 +0000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[28/May/2020:10:43:53.449356442 +0000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[28/May/2020:10:43:53.452447715 +0000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[28/May/2020:10:43:53.455552021 +0000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[28/May/2020:10:43:53.458537249 +0000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[28/May/2020:10:43:53.461462988 +0000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[28/May/2020:10:43:53.464465267 +0000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[28/May/2020:10:43:53.480867138 +0000] - WARN - Security Initialization - SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version; the default value "TLS1.2" is used.
[28/May/2020:10:43:53.484080805 +0000] - WARN - Security Initialization - SSL alert: The min value of NSS version range "TLS1.3" is greater than the max value "TLS1.2".
[28/May/2020:10:43:53.487373228 +0000] - WARN - Security Initialization - SSL alert: Reset the max "TLS1.2" to supported max "TLS1.2".
[28/May/2020:10:43:53.490254562 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.3, max: TLS1.2
[28/May/2020:10:43:53.493268543 +0000] - ERR - Security Initialization - SSL failure: Security Initialization - slapd_ssl_init2 - Failed to set SSL range: min: TLS1.3, max: TLS1.2 - error -12168 (SSL version range is not valid.)

[28/May/2020:10:43:53.496320862 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2


Version-Release number of selected component (if applicable):
389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766.x86_64
nss-3.44.0-15.el8.x86_64


How reproducible:
always

Steps to Reproduce:
1. dsconf -D "cn=Directory Manager" -w password server-rhel8 security set --tls-protocol-min="TLS1.3" --tls-protocol-max="TLS1.3"
2. restart the server
3. check errors log

Actual results:
[28/May/2020:10:43:53.496320862 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2


Expected results:
NSS adjusted SSL version range: min: TLS1.3, max: TLS1.3

Additional info:
Works as expected on Fedora with 389-ds-base-1.4.3.8-1.fc32.x86_64

Comment 1 mreynolds 2020-07-21 13:27:23 UTC
Upstream ticket:

https://pagure.io/389-ds-base/issue/51129

Comment 2 Marc Sauton 2020-07-23 15:46:43 UTC
adding Z-Stream + flag for customer 8.2.z candidate

Comment 6 Viktor Ashirov 2020-08-07 11:08:25 UTC
Build tested: 389-ds-base-1.4.3.8-5.module+el8.3.0+7569+08175a8a.x86_64

I had to slightly adjust test case dirsrvtests/tests/suites/tls/ssl_version_test.py to test all possible combinations of sslVersinMin and sslVersionMax.
All of these are working:

[07/Aug/2020:11:05:08.255533410 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.0
[07/Aug/2020:11:05:08.261112792 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.0

[07/Aug/2020:11:05:14.282235857 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.1
[07/Aug/2020:11:05:14.288014591 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.1

[07/Aug/2020:11:05:20.322074752 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2
[07/Aug/2020:11:05:20.325178304 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.2

[07/Aug/2020:11:05:26.365983428 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3
[07/Aug/2020:11:05:26.371714079 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.3

[07/Aug/2020:11:05:32.548564845 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.1
[07/Aug/2020:11:05:32.554266775 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.1

[07/Aug/2020:11:05:38.666270124 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.2
[07/Aug/2020:11:05:38.671822638 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.2

[07/Aug/2020:11:05:44.863302949 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.3
[07/Aug/2020:11:05:44.873378127 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.3

[07/Aug/2020:11:05:51.039567033 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.2
[07/Aug/2020:11:05:51.045440560 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2

[07/Aug/2020:11:05:57.145060645 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[07/Aug/2020:11:05:57.148958882 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3

[07/Aug/2020:11:06:03.290095078 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.3, max: TLS1.3
[07/Aug/2020:11:06:03.295841796 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.3, max: TLS1.3


Marking as VERIFIED.

Comment 10 errata-xmlrpc 2020-11-04 03:07:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4695

Comment 11 Simon Pichugin 2021-11-09 02:08:03 UTC
*** Bug 1851819 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.