On 03/30/2016 06:57 AM, Alberto Viana wrote:
This means nsSSL3 is enabled when the server was started.Hello,
I installed a new version of 389:
389-Directory/1.3.4.8 B2016.063.1654
And I'm getting these warnings:
[30/Mar/2016:10:47:39 -0300] - SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable nsSSL3 in cn=encryption,cn=config.
This means sslVersionMin is TLS1.0 and sslVersionMax is TLS1.2.[30/Mar/2016:10:47:39 -0300] - SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1 are on. Respect the supported range.
nsSSL2, nsSSL3, and nsTLS1 are old format to specify the SSL version(s). The new format is sslVersionMin and sslVersionMax. They coexist for the backward compatibility.
The default settings are:
- nsSSL2, nsSSL3: off
- nsTLS1: on
- sslVersionMin: TLS1.0
- sslVersionMax: supported highest TLS version
In your case, nsSSL3 was on when the server was started. Please note that the SSL configuration is done at the server start up. If you change the config parameters, you have to restart the server.
That said, this message says SSLv3 (nsSSL3: on) was ignored and the available range is [TLS1.0 - TLS1.2].
> [30/Mar/2016:10:47:39 -0300] - SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1 are on. Respect the supported range.
I already disabled nsSSL2 and nsSSL3:
dn: cn=encryption,cn=configchangetype: modifyreplace: nsSSL2nsSSL2: off-replace: nsSSL3nsSSL3: off-replace: nsTLS1nsTLS1: on
and confirmed that my server is only accepting TLS connections
Also tried to delete nsssl3ciphers:dn: cn=encryption,cn=configchangetype: modifydelete: nsssl3ciphers
But it comes back.
Why I'm still getting these warnings even after to disable nsSSL2 and nsSSL3?
Thanks
Alberto Viana
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
No comments:
Post a Comment