This is a known problem. We moved the default minimum to TLS 1.2 (from
1.0), but it's not working correctly and it will not allow you to set
1.0 at all. We will fix it shortly...
On 4/29/20 10:25 AM, Alberto Viana wrote:
Hi Guys,
My packages:
389-ds-base1.4.2.8-20200414gitfae920fc8.el8.x86_64
openssl-1.1.1c-2.el8.x86_64
I'm trying to set tls-protocol-min to TLS 1.0 but it's not working, I
used dsconf and ldapmodify like this:
dn: cn=encryption,cn=config
changetype: modify
replace: sslVersionMin
sslVersionMin: TLS1.1
-
replace: sslVersionMax
sslVersionMax: TLS1.2
Also tried to set on variables like this:
nsTLS11: on
nsTLS10: on
dsconf RNP security set --tls-protocol-min="TLS1.0"
Set Allow Weak Ciphers to on, but seems to be related to ssl3 and not TLS.
Change cipher suite to all
All commands seems to works, also modify my dse.ldif but When I start
my 389:
[28/Apr/2020:23:10:58.855549735 -0300] - INFO - Security
Initialization - slapd_ssl_init2 - Configured SSL version range: min:
TLS1.1, max: TLS1.2
[28/Apr/2020:23:10:58.858132149 -0300] - INFO - Security
Initialization - slapd_ssl_init2 - NSS adjusted SSL version range:
min: TLS1.2, max: TLS1.2
This last try was setting to --tls-protocol-min="TLS1.1"
Thanks
Alberto Viana
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
--
389 Directory Server Development Team
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
