Jan Cholasta wrote: > Dne 21.11.2014 v 16:09 Rob Crittenden napsal(a): >> Jan Cholasta wrote: >>> Hi, >>> >>> Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a): >>>> Use new capability in python-nss-0.16 to use the NSS protocol range >>>> setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections. >>>> >>>> I made this configurable via tls_protocol_range in case somebody wants >>>> to override it. >>>> >>>> There isn't a whole ton of error handling on bad input but there is >>>> enough, I think, to point the user in the the right direction. >>>> >>>> Added a couple more lines of debug output to include the negotiated >>>> protocol and cipher. >>>> >>>> rob >>> >>> 1) The patch needs a rebase on top of ipa-4-1 (applies fine on master) >> >> Attached. >> >>> 2) Could you split the option into two options, say "tls_version_min" >>> and "tls_version_max"? IMO it would be easier to manage the version >>> range that way, when for example you have to lower just the minimal >>> version on a client to make it able to connect to a SSL3-only server. >> >> Sure. I waffled back and forth before deciding on a single value. >> Separate values are probably less error-prone. >> >>> 3) Would it make sense to print a warning when the configured minimal >>> TLS version is not safe and the connection uses a safe TLS version? This >>> is for the case when you have to lower the minimal version on the client >>> because of an old server, then the server gets updated, then you >>> probably no longer want to have unsafe minimal version configured on the >>> client. >> >> I see what you're saying but I think it could end up being just spam >> that user's get used to. That and given that I'd probably want to set it >> up to require tls1.1 as a minimum but we can't do that because dogtag >> only supports through tls1.0 right now AFAICT. That'd be a lot of >> warnings. > > You are probably right about the spam. Nevermind then. > >> >>> Functionally the patch is OK. >> >> rob >> > > Thanks for the patch, ACK. > > Fixed option names in commit message and pushed to: > master: 5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c > ipa-4-1: 8ef191448f0511b9c1749f47615437d649db0777 > > BTW before we can close the ticket, we are going to need a couple more > fixes: > > 1) Bump required versions of 389-ds-base, pki-core and openldap, once > the necessary fixes are available.
Right, to be sure that POODLE is fully addressed. > > 2) Configure mod_nss to also support TLS 1.2. It should be done on both > server install and upgrade. This requires a new version of mod_nss. mod_nss 1.0.10 in F-21 and rawhide should both support TLS 1.2 today. mod_nss is also very tolerant of bad/unknown protocols. It won't blow up on unknown protocols. So if the given mod_nss doesn't support TLSv1.2 it will simply report an error about an unknown protocol and configure the server for 1.0/1.1 if configured as: NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 rob _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
