Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Issue 51060 - unable to set sslVersionMin to TLS1.0

Description:  When processing the "sslVersionMin" attribute we were incorrectly
              setting it to TLS1.2 (current default level)

fixes: https://pagure.io/389-ds-base/issue/51060

Reviewed by: firstyear(Thanks!)
Mark Reynolds 5 years ago
parent
1cff0fb320
commit
3548738f9d
2 changed files with 14 additions and 2 deletions
Split View Show Diff Stats
  1. 12 0
      dirsrvtests/tests/suites/tls/ssl_version_test.py
  2. 2 2
      ldap/servers/slapd/ssl.c

+ 12 - 0
dirsrvtests/tests/suites/tls/ssl_version_test.py
View File 

@@ -19,10 +19,12 @@ def test_ssl_version_range(topo):
 
         1. Get current default range
 
         2. Set sslVersionMin and verify it is applied after a restart
 
         3. Set sslVersionMax and verify it is applied after a restart
 
+        4. Sanity test all the min/max versions
 
     :expectedresults:
 
         1. Success
 
         2. Success
 
         3. Success
 
+        4. Success
 
     """
 
 
     topo.standalone.enable_tls()
 
@@ -47,6 +49,16 @@ def test_ssl_version_range(topo):
 
     max = enc.get_attr_val_utf8('sslVersionMax')
 
     assert max == default_min
 
 
+    # Sanity test all the min/max versions
 
+    for attr, versions in [('sslVersionMin', ['TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.0']),
 
+                           ('sslVersionMax', ['TLS1.0', 'TLS1.1', 'TLS1.2'])]:
 
+        for version in versions:
 
+            # Test that the setting is correctly applied after a restart
 
+            enc.replace(attr, version)
 
+            topo.standalone.restart()
 
+            current_val = enc.get_attr_val_utf8(attr)
 
+            assert current_val == version
 
+
 
 
 if __name__ == '__main__':
 
     # Run isolated

+ 2 - 2
ldap/servers/slapd/ssl.c
View File 

@@ -1373,7 +1373,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
 
                                    val, emin);
 
                     (*rval) = enabledNSSVersions.min;
 
                 } else {
 
-                    (*rval) = CURRENT_DEFAULT_SSL_VERSION;
 
+                    (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
 
                 }
 
             } else {
 
                 if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
 
@@ -1384,7 +1384,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
 
                                    val, emax);
 
                     (*rval) = enabledNSSVersions.max;
 
                 } else {
 
-                    (*rval) = CURRENT_DEFAULT_SSL_VERSION;
 
+                    (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
 
                 }
 
             }
 
         } else if (tlsv < 1.2f) { /* TLS1.1 */