Hide Forgot
Description of problem: Can't set TLS1.3 only: dsconf -D "cn=Directory Manager" -w password server-rhel8 security set --tls-protocol-min="TLS1.3" --tls-protocol-max="TLS1.3" In the errors log: [28/May/2020:10:43:53.375684424 +0000] - INFO - Security Initialization - SSL info: Enabling default cipher set. [28/May/2020:10:43:53.378715126 +0000] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [28/May/2020:10:43:53.381513054 +0000] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [28/May/2020:10:43:53.384343219 +0000] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [28/May/2020:10:43:53.387125136 +0000] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [28/May/2020:10:43:53.390094372 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [28/May/2020:10:43:53.393120493 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [28/May/2020:10:43:53.396543422 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [28/May/2020:10:43:53.399488105 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [28/May/2020:10:43:53.402654569 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [28/May/2020:10:43:53.405813851 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [28/May/2020:10:43:53.409130700 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [28/May/2020:10:43:53.412322762 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [28/May/2020:10:43:53.415569617 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [28/May/2020:10:43:53.418730879 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [28/May/2020:10:43:53.421964352 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [28/May/2020:10:43:53.425160738 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [28/May/2020:10:43:53.428036531 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [28/May/2020:10:43:53.431078929 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [28/May/2020:10:43:53.434031070 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [28/May/2020:10:43:53.437141528 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [28/May/2020:10:43:53.440249594 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [28/May/2020:10:43:53.443296792 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [28/May/2020:10:43:53.446272845 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [28/May/2020:10:43:53.449356442 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [28/May/2020:10:43:53.452447715 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [28/May/2020:10:43:53.455552021 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [28/May/2020:10:43:53.458537249 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [28/May/2020:10:43:53.461462988 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [28/May/2020:10:43:53.464465267 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [28/May/2020:10:43:53.480867138 +0000] - WARN - Security Initialization - SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version; the default value "TLS1.2" is used. [28/May/2020:10:43:53.484080805 +0000] - WARN - Security Initialization - SSL alert: The min value of NSS version range "TLS1.3" is greater than the max value "TLS1.2". [28/May/2020:10:43:53.487373228 +0000] - WARN - Security Initialization - SSL alert: Reset the max "TLS1.2" to supported max "TLS1.2". [28/May/2020:10:43:53.490254562 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.3, max: TLS1.2 [28/May/2020:10:43:53.493268543 +0000] - ERR - Security Initialization - SSL failure: Security Initialization - slapd_ssl_init2 - Failed to set SSL range: min: TLS1.3, max: TLS1.2 - error -12168 (SSL version range is not valid.) [28/May/2020:10:43:53.496320862 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2 Version-Release number of selected component (if applicable): 389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766.x86_64 nss-3.44.0-15.el8.x86_64 How reproducible: always Steps to Reproduce: 1. dsconf -D "cn=Directory Manager" -w password server-rhel8 security set --tls-protocol-min="TLS1.3" --tls-protocol-max="TLS1.3" 2. restart the server 3. check errors log Actual results: [28/May/2020:10:43:53.496320862 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2 Expected results: NSS adjusted SSL version range: min: TLS1.3, max: TLS1.3 Additional info: Works as expected on Fedora with 389-ds-base-1.4.3.8-1.fc32.x86_64
Upstream ticket: https://pagure.io/389-ds-base/issue/51129
adding Z-Stream + flag for customer 8.2.z candidate
Build tested: 389-ds-base-1.4.3.8-5.module+el8.3.0+7569+08175a8a.x86_64 I had to slightly adjust test case dirsrvtests/tests/suites/tls/ssl_version_test.py to test all possible combinations of sslVersinMin and sslVersionMax. All of these are working: [07/Aug/2020:11:05:08.255533410 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.0 [07/Aug/2020:11:05:08.261112792 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.0 [07/Aug/2020:11:05:14.282235857 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.1 [07/Aug/2020:11:05:14.288014591 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.1 [07/Aug/2020:11:05:20.322074752 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 [07/Aug/2020:11:05:20.325178304 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.2 [07/Aug/2020:11:05:26.365983428 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 [07/Aug/2020:11:05:26.371714079 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.3 [07/Aug/2020:11:05:32.548564845 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.1 [07/Aug/2020:11:05:32.554266775 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.1 [07/Aug/2020:11:05:38.666270124 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.2 [07/Aug/2020:11:05:38.671822638 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.2 [07/Aug/2020:11:05:44.863302949 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.3 [07/Aug/2020:11:05:44.873378127 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.3 [07/Aug/2020:11:05:51.039567033 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.2 [07/Aug/2020:11:05:51.045440560 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2 [07/Aug/2020:11:05:57.145060645 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3 [07/Aug/2020:11:05:57.148958882 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3 [07/Aug/2020:11:06:03.290095078 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.3, max: TLS1.3 [07/Aug/2020:11:06:03.295841796 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.3, max: TLS1.3 Marking as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:4695
*** Bug 1851819 has been marked as a duplicate of this bug. ***