This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.2
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.2 by this push:
new 01b7ef7 Issue 51060 - unable to set sslVersionMin to TLS1.0
01b7ef7 is described below
commit 01b7ef727e68acc2ed516d8dace59728b01d3e06
Author: Mark Reynolds <mreynolds@redhat.com>
AuthorDate: Wed Apr 29 16:07:38 2020 -0400
Issue 51060 - unable to set sslVersionMin to TLS1.0
Description: When processing the "sslVersionMin" attribute we were incorrectly
setting it to TLS1.2 (current default level)
fixes: https://pagure.io/389-ds-base/issue/51060
Reviewed by: firstyear(Thanks!)
---
dirsrvtests/tests/suites/tls/ssl_version_test.py | 12 ++++++++++++
ldap/servers/slapd/ssl.c | 4 ++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/dirsrvtests/tests/suites/tls/ssl_version_test.py b/dirsrvtests/tests/suites/tls/ssl_version_test.py
index acc8b23..d9dae5a 100644
--- a/dirsrvtests/tests/suites/tls/ssl_version_test.py
+++ b/dirsrvtests/tests/suites/tls/ssl_version_test.py
@@ -19,10 +19,12 @@ def test_ssl_version_range(topo):
1. Get current default range
2. Set sslVersionMin and verify it is applied after a restart
3. Set sslVersionMax and verify it is applied after a restart
+ 4. Sanity test all the min/max versions
:expectedresults:
1. Success
2. Success
3. Success
+ 4. Success
"""
topo.standalone.enable_tls()
@@ -47,6 +49,16 @@ def test_ssl_version_range(topo):
max = enc.get_attr_val_utf8('sslVersionMax')
assert max == default_min
+ # Sanity test all the min/max versions
+ for attr, versions in [('sslVersionMin', ['TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.0']),
+ ('sslVersionMax', ['TLS1.0', 'TLS1.1', 'TLS1.2'])]:
+ for version in versions:
+ # Test that the setting is correctly applied after a restart
+ enc.replace(attr, version)
+ topo.standalone.restart()
+ current_val = enc.get_attr_val_utf8(attr)
+ assert current_val == version
+
if __name__ == '__main__':
# Run isolated
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 9296cd4..0248585 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1291,7 +1291,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
val, emin);
(*rval) = enabledNSSVersions.min;
} else {
- (*rval) = CURRENT_DEFAULT_SSL_VERSION;
+ (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
}
} else {
if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
@@ -1302,7 +1302,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
val, emax);
(*rval) = enabledNSSVersions.max;
} else {
- (*rval) = CURRENT_DEFAULT_SSL_VERSION;
+ (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
}
}
} else if (tlsv < 1.2f) { /* TLS1.1 */
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
389-commits mailing list -- 389-commits@lists.fedoraproject.org
To unsubscribe send an email to 389-commits-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-commits@lists.fedoraproject.org
No comments:
Post a Comment