Mark, One last doubt, what about TLS 1.3? 389 already supports it?
Thanks Alberto Viana On Wed, Apr 29, 2020 at 12:42 PM Mark Reynolds <[email protected]> wrote: > This is a known problem. We moved the default minimum to TLS 1.2 (from > 1.0), but it's not working correctly and it will not allow you to set 1.0 > at all. We will fix it shortly... > On 4/29/20 10:25 AM, Alberto Viana wrote: > > Hi Guys, > My packages: > 389-ds-base1.4.2.8-20200414gitfae920fc8.el8.x86_64 > openssl-1.1.1c-2.el8.x86_64 > > I'm trying to set tls-protocol-min to TLS 1.0 but it's not working, I used > dsconf and ldapmodify like this: > > dn: cn=encryption,cn=config > changetype: modify > replace: sslVersionMin > sslVersionMin: TLS1.1 > - > replace: sslVersionMax > sslVersionMax: TLS1.2 > > Also tried to set on variables like this: > nsTLS11: on > nsTLS10: on > > dsconf RNP security set --tls-protocol-min="TLS1.0" > > Set Allow Weak Ciphers to on, but seems to be related to ssl3 and not TLS. > Change cipher suite to all > > > > > All commands seems to works, also modify my dse.ldif but When I start my > 389: > > [28/Apr/2020:23:10:58.855549735 -0300] - INFO - Security Initialization - > slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.2 > [28/Apr/2020:23:10:58.858132149 -0300] - INFO - Security Initialization - > slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2 > > > This last try was setting to --tls-protocol-min="TLS1.1" > > Thanks > > Alberto Viana > > > > > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > > -- > > 389 Directory Server Development Team > >
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
