I think we cannot remove it. Setting the MIN version is a workaround for *old clients* not even supporting current NSS' default min. Setting up MAX version is a workaround for *broken clients* thinking they can support something they announced but for some reason fail to work with such a version. I believe most of deployments have some really legacy software of which not a small amount behaves weirdly enough these two options save lives; I have seen these issues several times. On Tue, Jul 16, 2019 at 10:24 PM Mark Reynolds <mreynolds@xxxxxxxxxx> wrote: > > So some time ago when the poodlebleed vulnerability came out in SSL3 we > added a way to set the minimum and maximum SSL/TLS versions the server > would accept (e.g. TLS1.1 <--> TLS1.2). Current versions of NSS > already use this range by default. I would like to remove/deprecate the > sslVersionMin/Max and just use what NSS uses by default (which should be > the system wide crypto policy). > > Is anyone actually using sslVersionMin/Max? Do we really have a need > for it anymore? > > -- > > 389 Directory Server Development Team > _______________________________________________ > 389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-devel@xxxxxxxxxxxxxxxxxxxxxxx -- Matúš Honěk Software Engineer Red Hat Czech _______________________________________________ 389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
