Comment (by nhosoi):
The answer from the security team.
On 04/04/2016 10:26 PM, Huzaifa Sidhpurwala wrote:
> Currently, we are not aware of any attacks which are feasible against a
> proper implementation of TLS 1.0 (openssl, nss, gnutls we ship). However
> that being said, the safest option is always to use the highest version
> available ie TLS 1.2 and fall back to lower versions only, if you cant
> use 1.2.
>
>
> The above is general advice in all cases. If you have a special case in
> mind, let me know and we can discuss.
>
> My answer is based on the bits of information i got from the mail i was
> copied on :)
This is the access log snippet of the replication. As you see, even
though the min value is TLS1.0 (or even setting to SSL3), the higherst
available version is picked. So, we may not have to worry too much about
it.
{{{
[..] conn=3 TLS1.2 128-bit AES-GCM; client CN=test.localdomain0,OU=389
Directory Server; issuer CN=CAcert
[..] conn=3 TLS1.2 client bound as uid=repl_mgr1,cn=config
}}}
|
--
389-devel mailing list
389-devel@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
