RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1905390 - Attempting to set sslVersionMin to 1.0 is silently ignored
Summary: Attempting to set sslVersionMin to 1.0 is silently ignored
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: LDAP Maintainers
QA Contact: RHDS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-12-08 08:59 UTC by Sudhir Menon
Modified: 2022-01-19 16:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-01-19 16:46:16 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-61287 0 None None None 2021-11-05 11:52:15 UTC

Description Sudhir Menon 2020-12-08 08:59:17 UTC 
Description of problem:ipa-healthcheck EncryptionCheck displays result as SUCCESS when sslVersionMin is set 1.0.


Version-Release number of selected component (if applicable):
ipa-server-4.9.0-0.3.rc2.module+el8.4.0+9015+e4c6695a.x86_64
ipa-healthcheck-0.7-3.module+el8.4.0+9007+5084bdd8.noarch

How reproducible:
Always

Steps to Reproduce:
1. Set the sslVersionMin in dse.ldif to 1.0 from 1.2 using the below command
#dsconf slapd-RHEL83-TEST security set --tls-protocol-min=TLS1.0

dn: cn=encryption,cn=config
CACertExtractFile: /tmp/slapd-RHEL83-TEST/RHEL83.TEST20IPA20CA.pem
allowWeakCipher: off
cn: encryption
modifiersName: cn=Directory Manager
modifyTimestamp: 20201208084506Z
nsSSL3Ciphers: default
nsSSLClientAuth: allowed
nsSSLSessionTimeout: 0
objectClass: top
objectClass: nsEncryptionConfig
sslVersionMin: TLS1.0
numSubordinates: 1

2. Run ipa-healthcheck command
#ipa-healthcheck --source ipahealthcheck.ds.encryption --all

Actual results:
healthcheck run displays results as SUCCESS

[root@master ~]# ipa-healthcheck --source ipahealthcheck.ds.encryption --all
[
  {
    "source": "ipahealthcheck.ds.encryption",
    "check": "EncryptionCheck",
    "result": "SUCCESS",
    "uuid": "8c4e33bd-184e-43e6-ab23-1d3b7f02335b",
    "when": "20201208085904Z",
    "duration": "0.017437",
    "kw": {}
  }
]

Expected results:
healthcheck tool should return the status as ERROR i.e DSELE0001

"This Directory Server may not be using strong TLS protocol "
"versions. TLS1.0 is known to\nhave a number of issues with "
"the protocol. "
"Please see:\n\nhttps://tools.ietf.org/html/rfc7457\n\n"
"It is advised you set this value to the maximum possible."

Additional info:
Comment 1 Rob Crittenden 2020-12-08 13:12:38 UTC 
Mark, does this look familiar?

Sudhir, what version of python3-lib389 is installed?
Comment 2 Sudhir Menon 2020-12-08 13:24:00 UTC 
Rob,
The system has python3-lib389-1.4.3.16-3.module+el8.4.0+8869+55706461.noarch installed on it.
Comment 3 mreynolds 2021-03-03 21:47:47 UTC 
I know when I run DS healthcheck it does report a warning if sslVersionMin is set to TLS1.0.  But the server can adjust this min version if the crypto policy does not support it.  Doing an ldapsearch can verify what the server is actually using:

    ldapsearch -D "cn=directory manager" -W -b cn=encryption,cn=config objectclass=top sslVersionMin
Comment 4 Rob Crittenden 2021-11-05 14:21:39 UTC 
It appears that 389-ds is silently ignoring updating this value. Even doing an ldapmodify to set sslVersionMin to TLS1.0 returns no error but it retains the value of TLS1.2 with, as far as I can tell, no mention in the error log.

So healthcheck is correctly reporting the current status as SUCCESS because the value is indeed TLS1.2. It's the attempts to change the value which are failing. Not a bad thing but some sort of push back would be useful IMHO.

Changing title of BZ as well to reflect the current state.
Comment 5 mreynolds 2021-11-05 14:26:22 UTC 
(In reply to Rob Crittenden from comment #4)
> It appears that 389-ds is silently ignoring updating this value. Even doing
> an ldapmodify to set sslVersionMin to TLS1.0 returns no error but it retains
> the value of TLS1.2 with, as far as I can tell, no mention in the error log.

Well you need to restart the server for it to take effect, but at restart NSS might adjust it again (that is logged in the errors log at startup).

Not sure there is a bug here, I'll check it later today...
Comment 6 mreynolds 2022-01-19 16:46:16 UTC 
The value is accepted but after DS restart NSS adjusts it based off of the system crypto policy.  This can be seen in the errors log:

[19/Jan/2022:11:43:41.939342900 -0500] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3
[19/Jan/2022:11:43:41.939342900 -0500] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3

Closing as it works as expected
Note You need to log in before you can comment on or make changes to this bug.