Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Ticket #48775 - If nsSSL3 is on, even if SSL v3 is not really enabled, a confusing message is logged.

Description: The config entry cn=encryption,cn=config takes old and new
formats to specify SSL versions.
* old format:
  nsSSL3: on|off
  nsTLS1: on|off
* new format:
  sslVersionMin: <min value, e.g., TLS1.0>
  sslVersionMax: <max value, e.g., TLS1.3>
To enable SSLv3, both nsSSL3 needs to be on and sslVersionMin needs to
set to SSL3.  But the current code logs the following warning if nsSSL3
is on, even if sslVersionMin is set to higher than SSL3:
  Found unsecured configuration: nsSSL3: on; We strongly recommend to
  disable nsSSL3 in cn=encryption,cn=config.

Instead, this patch changes the behaviour to log the warning only when
nsSSL3 is on and sslVersionMin is set to lower than or equal to SSL3:
  Min value is too low in range: min: SSL3, max: TLS##;
  We strongly recommend to set sslVersionMin higher than TLS1.0.

https://fedorahosted.org/389/ticket/48775

Reviewed by [email protected] (Thank you, Mark!!)
Noriko Hosoi 9 years ago
parent
10787a0bb0
commit
9b3c2736db
1 changed files with 5 additions and 3 deletions
Split View Show Diff Stats
  1. 5 3
      ldap/servers/slapd/ssl.c

+ 5 - 3
ldap/servers/slapd/ssl.c
View File 

@@ -893,8 +893,6 @@ restrict_SSLVersionRange(void)
 
         slapdNSSVersions.max = enabledNSSVersions.max;
 
     }
 
     if (enableSSL3) {
 
-        slapd_SSL_warn("Found unsecure configuration: nsSSL3: on; "
 
-                       "We strongly recommend to disable nsSSL3 in %s.", configDN);
 
         if (enableTLS1) {
 
             if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
 
                 slapd_SSL_warn("Configured range: min: %s, max: %s; "
 
@@ -902,6 +900,10 @@ restrict_SSLVersionRange(void)
 
                                "Respect the supported range.",
 
                                mymin, mymax);
 
                 enableSSL3 = PR_FALSE;
 
+            } else {
 
+                slapd_SSL_warn("Min value is too low in range: min: %s, max: %s; "
 
+                               "We strongly recommend to set sslVersionMin higher than %s.",
 
+                               mymin, mymax, DEFVERSION);
 
             }
 
             if (slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
 
                 slapd_SSL_warn("Configured range: min: %s, max: %s; "
 
@@ -928,7 +930,7 @@ restrict_SSLVersionRange(void)
 
                 enableSSL3 = PR_FALSE;
 
                 enableTLS1 = PR_TRUE;
 
             } else if (slapdNSSVersions.min < CURRENT_DEFAULT_SSL_VERSION) {
 
-                slapd_SSL_warn("Too low configured range: min: %s, max: %s; "
 
+                slapd_SSL_warn("Min value is too low in range: min: %s, max: %s; "
 
                                "We strongly recommend to set sslVersionMin higher than %s.",
 
                                mymin, mymax, DEFVERSION);
 
             } else {