Bug 1867988 - SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version [rhel-8.2.0.z]
Summary: SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported v...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 8.0
Assignee: mreynolds
QA Contact: RHDS QE
URL:
Whiteboard:
Depends On: 1841086
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-11 10:38 UTC by RHEL Program Management Team
Modified: 2020-09-08 09:50 UTC (History)
7 users (show)

Fixed In Version: 389-ds-base-1.4.2.4-9.module+el8.2.0+7732+be29fed1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1841086
Environment:
Last Closed: 2020-09-08 09:50:49 UTC
Type: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:3667 0 None None None 2020-09-08 09:50:55 UTC

Comment 4 Viktor Ashirov 2020-08-25 16:52:27 UTC
Build tested: 389-ds-base-1.4.2.4-10.module+el8.2.0+7749+4a513fb2.x86_64

I had to slightly adjust test case dirsrvtests/tests/suites/tls/ssl_version_test.py to test all possible combinations of sslVersinMin and sslVersionMax and set  crypto policy to LEGACY.
 
diff --git a/dirsrvtests/tests/suites/tls/ssl_version_test.py b/dirsrvtests/tests/suites/tls/ssl_version_test.py
index 67da349eb..de18b9ea3 100644
--- a/dirsrvtests/tests/suites/tls/ssl_version_test.py
+++ b/dirsrvtests/tests/suites/tls/ssl_version_test.py
@@ -52,14 +52,20 @@ def test_ssl_version_range(topo):
     assert max == default_min
 
     # Sanity test all the min/max versions
-    for attr, versions in [('sslVersionMin', ['TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.0']),
-                           ('sslVersionMax', ['TLS1.0', 'TLS1.1', 'TLS1.2'])]:
-        for version in versions:
-            # Test that the setting is correctly applied after a restart
-            enc.replace(attr, version)
-            topo.standalone.restart()
-            current_val = enc.get_attr_val_utf8(attr)
-            assert current_val == version
+    TLS = ['TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.3']
+
+    for sslVersionMin in TLS:
+        for sslVersionMax in TLS:
+            if sslVersionMin <= sslVersionMax:
+                # Test that the setting is correctly applied after a restart
+                enc.replace('sslVersionMin', sslVersionMin)
+                enc.replace('sslVersionMax', sslVersionMax)
+                topo.standalone.restart()
+                sslVersionMin_current_val = enc.get_attr_val_utf8('sslVersionMin')
+                sslVersionMax_current_val = enc.get_attr_val_utf8('sslVersionMax')
+                assert sslVersionMin_current_val == sslVersionMin
+                assert sslVersionMax_current_val == sslVersionMax
+
 
 
 if __name__ == '__main__':


All of these are working:

[25/Aug/2020:12:43:38.394465641 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.0
[25/Aug/2020:12:43:38.399957976 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.0

[25/Aug/2020:12:43:43.481093794 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.1
[25/Aug/2020:12:43:43.485010095 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.1

[25/Aug/2020:12:43:48.688490311 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2
[25/Aug/2020:12:43:48.731776701 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.2

[25/Aug/2020:12:43:54.095705858 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3
[25/Aug/2020:12:43:54.099706177 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.0, max: TLS1.3

[25/Aug/2020:12:43:59.473381069 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.1
[25/Aug/2020:12:43:59.477937350 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.1

[25/Aug/2020:12:44:04.585815767 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.2
[25/Aug/2020:12:44:04.590611984 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.2

[25/Aug/2020:12:44:09.667366650 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.3
[25/Aug/2020:12:44:09.674087184 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.1, max: TLS1.3

[25/Aug/2020:12:44:14.762782257 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.2
[25/Aug/2020:12:44:14.766637755 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2

[25/Aug/2020:12:44:19.892565716 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[25/Aug/2020:12:44:19.898077664 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3

[25/Aug/2020:12:44:24.996565517 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.3, max: TLS1.3
[25/Aug/2020:12:44:25.010539031 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.3, max: TLS1.3

Marking as VERIFIED.

Comment 7 errata-xmlrpc 2020-09-08 09:50:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds-base bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3667


Note You need to log in before you can comment on or make changes to this bug.