If the version of nss on your system is capable of TLS1.3, then we should support it.
> On 22 May 2020, at 08:50, Alberto Viana <[email protected]> wrote: > > Mark, > > One last doubt, what about TLS 1.3? 389 already supports it? > > Thanks > > Alberto Viana > > On Wed, Apr 29, 2020 at 12:42 PM Mark Reynolds <[email protected]> wrote: > This is a known problem. We moved the default minimum to TLS 1.2 (from 1.0), > but it's not working correctly and it will not allow you to set 1.0 at all. > We will fix it shortly... > > On 4/29/20 10:25 AM, Alberto Viana wrote: >> Hi Guys, >> My packages: >> 389-ds-base1.4.2.8-20200414gitfae920fc8.el8.x86_64 >> openssl-1.1.1c-2.el8.x86_64 >> >> I'm trying to set tls-protocol-min to TLS 1.0 but it's not working, I used >> dsconf and ldapmodify like this: >> >> dn: cn=encryption,cn=config >> changetype: modify >> replace: sslVersionMin >> sslVersionMin: TLS1.1 >> - >> replace: sslVersionMax >> sslVersionMax: TLS1.2 >> >> Also tried to set on variables like this: >> nsTLS11: on >> nsTLS10: on >> >> dsconf RNP security set --tls-protocol-min="TLS1.0" >> >> Set Allow Weak Ciphers to on, but seems to be related to ssl3 and not TLS. >> Change cipher suite to all >> >> >> >> >> All commands seems to works, also modify my dse.ldif but When I start my 389: >> >> [28/Apr/2020:23:10:58.855549735 -0300] - INFO - Security Initialization - >> slapd_ssl_init2 - Configured SSL version range: min: TLS1.1, max: TLS1.2 >> [28/Apr/2020:23:10:58.858132149 -0300] - INFO - Security Initialization - >> slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2 >> >> >> This last try was setting to --tls-protocol-min="TLS1.1" >> >> Thanks >> >> Alberto Viana >> >> >> >> >> >> >> _______________________________________________ >> 389-users mailing list -- >> [email protected] >> >> To unsubscribe send an email to >> [email protected] >> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> >> List Archives: >> https://lists.fedoraproject.org/archives/list/[email protected] > -- > > 389 Directory Server Development Team > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
