[389-devel] please review: [389 Project] #47928: Disable SSL v3, by default.

Thu, 13 Nov 2014 12:28:46 -0800 

https://fedorahosted.org/389/ticket/47928

https://fedorahosted.org/389/attachment/ticket/47928/0001-Ticket-47928-Disable-SSL-v3-by-default.3.patch
git patch file (master) -- Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0. 

On 11/13/2014 12:22 PM, 389 Project wrote:

Comment (by nhosoi):

  Description:
  Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
  In dn: cn=encryption,cn=config,
  0) Setting no SSL version attrs (using defaults); supported max is TLS1.2
     ==>
     SSL Initialization - Configured SSL version range: min: TLS1.0, max:
  TLS1.2

  1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2
     sslVersionMin: TLS1.0
     sslVersionMax: TLS1.3
     nsSSL3: off
     nsTLS1: on
     ==>
     SSL Initialization - Configured SSL version range: min: TLS1.0, max:
  TLS1.2
  2) Setting new SSL version attrs; supported max is TLS1.2
     sslVersionMin: TLS1.0
     sslVersionMax: TLS1.3
     ==>
     SSL Initialization - Configured SSL version range: min: TLS1.0, max:
  TLS1.2

  3) Setting old/new SSL version attrs; conflict (new min is stricter);
  supported max is TLS1.2
     nsSSL3: on
     sslVersionMin: TLS1.0
     ==>
     SSL alert: Found unsecure configuration: nsSSL3: on; We strongly
  recommend to dis
     able nsSSL3 in cn=encryption,cn=config.
     SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3
  and nsTLS1
      are on. Respect the supported range.
     SSL Initialization - Configured SSL version range: min: TLS1.0, max:
  TLS1.2

  4) Setting old/new SSL version attrs; conflict (old min is stricter);
  supported max is TLS1.2
     nsSSL3: off
     sslVersionMin: SSL3
     sslVersionMax: SSL3
     ==>
     SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0";
  Configuring
      the version range as default min: TLS1.0, max: TLS1.2.
     SSL Initialization - Configured SSL version range: min: TLS1.0, max:
  TLS1.2

  5) Setting old/new SSL version attrs; no conflict; setting SSL3
     nsSSL3: on
     nsTLS1: off
     sslVersionMin: SSL3
     sslVersionMax: SSL3
     ==>
     SSL alert: Found unsecure configuration: nsSSL3: on; We strongly
  recommend to disable
     nsSSL3 in cn=encryption,cn=config.
     SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly
  recommend
     to set sslVersionMin higher than TLS1.0.
     SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3



--
389-devel mailing list
389-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-devel

Reply via email to