Hi,
Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a):
Use new capability in python-nss-0.16 to use the NSS protocol range
setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections.
I made this configurable via tls_protocol_range in case somebody wants
to override it.
There isn't a whole ton of error handling on bad input but there is
enough, I think, to point the user in the the right direction.
Added a couple more lines of debug output to include the negotiated
protocol and cipher.
rob
1) The patch needs a rebase on top of ipa-4-1 (applies fine on master)
2) Could you split the option into two options, say "tls_version_min"
and "tls_version_max"? IMO it would be easier to manage the version
range that way, when for example you have to lower just the minimal
version on a client to make it able to connect to a SSL3-only server.
3) Would it make sense to print a warning when the configured minimal
TLS version is not safe and the connection uses a safe TLS version? This
is for the case when you have to lower the minimal version on the client
because of an old server, then the server gets updated, then you
probably no longer want to have unsafe minimal version configured on the
client.
Functionally the patch is OK.
Honza
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
