[389-devel] Re: Do we still need sslVersionMax/sslVersionMin?
On 7/17/19 11:47 PM, William Brown wrote: On 17 Jul 2019, at 22:36, Mark Reynolds wrote: On 7/17/19 3:01 AM, Matus Honek wrote: I think we cannot remove it. Setting the MIN version is a workaround for *old clients* not even supporting current NSS' default min. Setting up MAX version is a workaround for *broken clients* thinking they can support something they announced but for some reason fail to work with such a version. I believe most of deployments have some really legacy software of which not a small amount behaves weirdly enough these two options save lives; I have seen these issues several times. Did you see anyone still using SSL3? The min is good to allow a sysadmin to clamp the min version up to something like TLS1.2 rather than TLS 1.0 and 1.1 which both have known issues. So Ithink we should leave this, but default to the NSS system wide crypto, and document and advise to use NSS systemd wide crypto policy instead. Well the bug I have is now is the NSS system wide policy is overriding min and max ssl versions and always using (min TLS 1.2 -> max TLS 1.3). Looks like if you try and use SSL3 it just overrides it in the current version of NSS anyway. So I am probably going to remove all the SSL3 specific code in ssl.c. But I'll keep the min and max settings... On Tue, Jul 16, 2019 at 10:24 PM Mark Reynolds wrote: So some time ago when the poodlebleed vulnerability came out in SSL3 we added a way to set the minimum and maximum SSL/TLS versions the server would accept (e.g. TLS1.1 <--> TLS1.2).Current versions of NSS already use this range by default. I would like to remove/deprecate the sslVersionMin/Max and just use what NSS uses by default (which should be the system wide crypto policy). Is anyone actually using sslVersionMin/Max? Do we really have a need for it anymore? -- 389 Directory Server Development Team ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org -- 389 Directory Server Development Team ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org -- 389 Directory Server Development Team ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Do we still need sslVersionMax/sslVersionMin?
> On 17 Jul 2019, at 22:36, Mark Reynolds wrote: > > > On 7/17/19 3:01 AM, Matus Honek wrote: >> I think we cannot remove it. Setting the MIN version is a workaround >> for *old clients* not even supporting current NSS' default min. >> Setting up MAX version is a workaround for *broken clients* thinking >> they can support something they announced but for some reason fail to >> work with such a version. I believe most of deployments have some >> really legacy software of which not a small amount behaves weirdly >> enough these two options save lives; I have seen these issues several >> times. > Did you see anyone still using SSL3? The min is good to allow a sysadmin to clamp the min version up to something like TLS1.2 rather than TLS 1.0 and 1.1 which both have known issues. So Ithink we should leave this, but default to the NSS system wide crypto, and document and advise to use NSS systemd wide crypto policy instead. >> >> On Tue, Jul 16, 2019 at 10:24 PM Mark Reynolds wrote: >>> So some time ago when the poodlebleed vulnerability came out in SSL3 we >>> added a way to set the minimum and maximum SSL/TLS versions the server >>> would accept (e.g. TLS1.1 <--> TLS1.2).Current versions of NSS >>> already use this range by default. I would like to remove/deprecate the >>> sslVersionMin/Max and just use what NSS uses by default (which should be >>> the system wide crypto policy). >>> >>> Is anyone actually using sslVersionMin/Max? Do we really have a need >>> for it anymore? >>> >>> -- >>> >>> 389 Directory Server Development Team >>> ___ >>> 389-devel mailing list -- 389-devel@lists.fedoraproject.org >>> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org >> >> > -- > > 389 Directory Server Development Team > ___ > 389-devel mailing list -- 389-devel@lists.fedoraproject.org > To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Do we still need sslVersionMax/sslVersionMin?
On 7/17/19 3:01 AM, Matus Honek wrote: I think we cannot remove it. Setting the MIN version is a workaround for *old clients* not even supporting current NSS' default min. Setting up MAX version is a workaround for *broken clients* thinking they can support something they announced but for some reason fail to work with such a version. I believe most of deployments have some really legacy software of which not a small amount behaves weirdly enough these two options save lives; I have seen these issues several times. Did you see anyone still using SSL3? On Tue, Jul 16, 2019 at 10:24 PM Mark Reynolds wrote: So some time ago when the poodlebleed vulnerability came out in SSL3 we added a way to set the minimum and maximum SSL/TLS versions the server would accept (e.g. TLS1.1 <--> TLS1.2).Current versions of NSS already use this range by default. I would like to remove/deprecate the sslVersionMin/Max and just use what NSS uses by default (which should be the system wide crypto policy). Is anyone actually using sslVersionMin/Max? Do we really have a need for it anymore? -- 389 Directory Server Development Team ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org -- 389 Directory Server Development Team ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Do we still need sslVersionMax/sslVersionMin?
I think we cannot remove it. Setting the MIN version is a workaround for *old clients* not even supporting current NSS' default min. Setting up MAX version is a workaround for *broken clients* thinking they can support something they announced but for some reason fail to work with such a version. I believe most of deployments have some really legacy software of which not a small amount behaves weirdly enough these two options save lives; I have seen these issues several times. On Tue, Jul 16, 2019 at 10:24 PM Mark Reynolds wrote: > > So some time ago when the poodlebleed vulnerability came out in SSL3 we > added a way to set the minimum and maximum SSL/TLS versions the server > would accept (e.g. TLS1.1 <--> TLS1.2).Current versions of NSS > already use this range by default. I would like to remove/deprecate the > sslVersionMin/Max and just use what NSS uses by default (which should be > the system wide crypto policy). > > Is anyone actually using sslVersionMin/Max? Do we really have a need > for it anymore? > > -- > > 389 Directory Server Development Team > ___ > 389-devel mailing list -- 389-devel@lists.fedoraproject.org > To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org -- Matúš Honěk Software Engineer Red Hat Czech ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org