https://fedorahosted.org/389/ticket/48784
https://fedorahosted.org/389/attachment/ticket/48784/0001-Ticket-48784-Make-the-SSL-version-set-to-the-client-.patch
git patch file (master) -- revised based upon the reviews by William (Thanks!)
On 04/06/2016 12:35 PM, 389 Project wrote:
https://fedorahosted.org/389/attachment/ticket/48784/0001-Ticket-48784-Make-the-SSL-version-set-to-the-client-.patch
git patch file (master) -- revised based upon the reviews by William (Thanks!)
- Fixed a typo in an error message.
- Changed the return type of getSSLVersionRangeOL to void since there is no need to check it.
On 04/06/2016 12:35 PM, 389 Project wrote:
Comment (by nhosoi): The answer from the security team. On 04/04/2016 10:26 PM, Huzaifa Sidhpurwala wrote: > Currently, we are not aware of any attacks which are feasible against a > proper implementation of TLS 1.0 (openssl, nss, gnutls we ship). However > that being said, the safest option is always to use the highest version > available ie TLS 1.2 and fall back to lower versions only, if you cant > use 1.2. > > > The above is general advice in all cases. If you have a special case in > mind, let me know and we can discuss. > > My answer is based on the bits of information i got from the mail i was > copied on :) This is the access log snippet of the replication. As you see, even though the min value is TLS1.0 (or even setting to SSL3), the higherst available version is picked. So, we may not have to worry too much about it. {{{ [..] conn=3 TLS1.2 128-bit AES-GCM; client CN=test.localdomain0,OU=389 Directory Server; issuer CN=CAcert [..] conn=3 TLS1.2 client bound as uid=repl_mgr1,cn=config }}} 
No comments:
Post a Comment