Dne 21.11.2014 v 16:09 Rob Crittenden napsal(a):
Jan Cholasta wrote:

Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a):
Use new capability in python-nss-0.16 to use the NSS protocol range
setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections.

I made this configurable via tls_protocol_range in case somebody wants
to override it.

There isn't a whole ton of error handling on bad input but there is
enough, I think, to point the user in the the right direction.

Added a couple more lines of debug output to include the negotiated
protocol and cipher.


1) The patch needs a rebase on top of ipa-4-1 (applies fine on master)


2) Could you split the option into two options, say "tls_version_min"
and "tls_version_max"? IMO it would be easier to manage the version
range that way, when for example you have to lower just the minimal
version on a client to make it able to connect to a SSL3-only server.

Sure. I waffled back and forth before deciding on a single value.
Separate values are probably less error-prone.

3) Would it make sense to print a warning when the configured minimal
TLS version is not safe and the connection uses a safe TLS version? This
is for the case when you have to lower the minimal version on the client
because of an old server, then the server gets updated, then you
probably no longer want to have unsafe minimal version configured on the

I see what you're saying but I think it could end up being just spam
that user's get used to. That and given that I'd probably want to set it
up to require tls1.1 as a minimum but we can't do that because dogtag
only supports through tls1.0 right now AFAICT. That'd be a lot of warnings.

You are probably right about the spam. Nevermind then.

Functionally the patch is OK.


Thanks for the patch, ACK.

Fixed option names in commit message and pushed to:
master: 5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c
ipa-4-1: 8ef191448f0511b9c1749f47615437d649db0777

BTW before we can close the ticket, we are going to need a couple more fixes:

1) Bump required versions of 389-ds-base, pki-core and openldap, once the necessary fixes are available.

2) Configure mod_nss to also support TLS 1.2. It should be done on both server install and upgrade. This requires a new version of mod_nss.

Jan Cholasta

Freeipa-devel mailing list

Reply via email to