Re: nsSSL3 warnings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/30/2016 06:57 AM, Alberto Viana wrote:
Hello,


I installed a new version of 389:

389-Directory/1.3.4.8 B2016.063.1654

And I'm getting these warnings:

[30/Mar/2016:10:47:39 -0300] - SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable nsSSL3 in cn=encryption,cn=config.
This means nsSSL3 is enabled when the server was started.
[30/Mar/2016:10:47:39 -0300] - SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1 are on. Respect the supported range.
This means sslVersionMin is TLS1.0 and sslVersionMax is TLS1.2.

nsSSL2, nsSSL3, and nsTLS1 are old format to specify the SSL version(s).  The new format is sslVersionMin and sslVersionMax.  They coexist for the backward compatibility.

The default settings are:
  • nsSSL2, nsSSL3: off
  • nsTLS1: on
  • sslVersionMin: TLS1.0
  • sslVersionMax: supported highest TLS version
To prevent the POODLE attack, 389-ds-base disables SSLv3 by default.  To enable SSLv3, both nsSSL3 needs to be on and sslVersionMin needs to be SSL3.  This is for avoiding the accidental setting SSLv3 (which we don't recommend).

In your case, nsSSL3 was on when the server was started.  Please note that the SSL configuration is done at the server start up.  If you change the config parameters, you have to restart the server.

That said, this message says SSLv3 (nsSSL3: on) was ignored and the available range is [TLS1.0 - TLS1.2].
> [30/Mar/2016:10:47:39 -0300] - SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1 are on. Respect the supported range.


I already disabled nsSSL2 and nsSSL3:

dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL2
nsSSL2: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsTLS1
nsTLS1: on

and confirmed that my server is only accepting TLS connections

Also tried to delete nsssl3ciphers:
dn: cn=encryption,cn=config
changetype: modify
delete: nsssl3ciphers

But it comes back.


Why I'm still getting these warnings even after to disable nsSSL2 and nsSSL3?


Thanks

Alberto Viana


--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx

--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux