Nope, fips is turned off
both settings from systemctl are set to 'yes'
I think everything's working now. the "In Synchronization" threw me,
when coupled with the Last Update Status, which shows "Error (0)
Replica acquired successfully: Incremental update succeeded". When
you read it more slowly it makes sense, but a casual look makes it
seem like the replication is ongoing and there's an error somewhere
On Thu, Nov 6, 2025 at 3:52 PM Viktor Ashirov <vashirov@redhat.com> wrote:
>
> FIPS mode?
>
> What's the output of
> systemctl show dirsrv@INSTANCE | grep -E 'ProtectKernelTunables|ProtectControlGroups'
>
> Thanks.
> On Thu, Nov 6, 2025 at 4:01 PM Michael DiDomenico via 389-users <389-users@lists.fedoraproject.org> wrote:
>>
>> 389-ds is 2.6.1-12.el9_6
>> nss-3.112.0-4.el9_4
>>
>> On Thu, Nov 6, 2025 at 2:56 PM Viktor Ashirov via 389-users
>> <389-users@lists.fedoraproject.org> wrote:
>> >
>> >
>> >
>> > On Thu, Nov 6, 2025 at 3:54 PM Viktor Ashirov <vashirov@redhat.com> wrote:
>> >>
>> >> Hi Michael,
>> >>
>> >> On Thu, Nov 6, 2025 at 3:19 PM Michael DiDomenico via 389-users <389-users@lists.fedoraproject.org> wrote:
>> >>>
>> >>> we upgraded from rhel9.5 to 9.6 and now our 389ds server is throwing this error
>> >>>
>> >>> ERR Security Initialization SSL failure: Security Initialization -
>> >>> slapd_ssl_init2 - Failed to set SSL range: min: TLS1.0, max: TLS1.0 -
>> >>> error -8190 (security library: received bad data)
>> >>>
>> >>> as far as i can tell ldap on port 389 is still working, so it's only
>> >>> affecting the TLS side of things, but i can't seem to figure out
>> >>> what's gone wrong.
>> >>>
>> >>> i have a case open with redhat, but maybe someone here might have a suggestion
>> >>
>> >> I checked the case and there was not enough information.
>> >> Please provide sosreport there, and someone from support will pick it up soon.
>> >
>> > Or at least versions of 389-ds-base, nss, if you can't share any sosreports.
>> >>
>> >> Thanks!
>> >>>
>> >>>
>> >>> thanks
>> >>> --
>> >>> _______________________________________________
>> >>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>> >>> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>> >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> >>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> >>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>> >>
>> >>
>> >>
>> >> --
>> >> Viktor
>> >
>> >
>> >
>> > --
>> > Viktor
>> > --
>> > _______________________________________________
>> > 389-users mailing list -- 389-users@lists.fedoraproject.org
>> > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>> --
>> _______________________________________________
>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>
>
>
> --
> Viktor
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thursday, November 6, 2025
[389-users] Re: SSL error after upgrade
FIPS mode?
What's the output of
systemctl show dirsrv@INSTANCE | grep -E 'ProtectKernelTunables|ProtectControlGroups'
On Thu, Nov 6, 2025 at 4:01 PM Michael DiDomenico via 389-users <389-users@lists.fedoraproject.org> wrote:
389-ds is 2.6.1-12.el9_6
nss-3.112.0-4.el9_4
On Thu, Nov 6, 2025 at 2:56 PM Viktor Ashirov via 389-users
<389-users@lists.fedoraproject.org> wrote:
>
>
>
> On Thu, Nov 6, 2025 at 3:54 PM Viktor Ashirov <vashirov@redhat.com> wrote:
>>
>> Hi Michael,
>>
>> On Thu, Nov 6, 2025 at 3:19 PM Michael DiDomenico via 389-users <389-users@lists.fedoraproject.org> wrote:
>>>
>>> we upgraded from rhel9.5 to 9.6 and now our 389ds server is throwing this error
>>>
>>> ERR Security Initialization SSL failure: Security Initialization -
>>> slapd_ssl_init2 - Failed to set SSL range: min: TLS1.0, max: TLS1.0 -
>>> error -8190 (security library: received bad data)
>>>
>>> as far as i can tell ldap on port 389 is still working, so it's only
>>> affecting the TLS side of things, but i can't seem to figure out
>>> what's gone wrong.
>>>
>>> i have a case open with redhat, but maybe someone here might have a suggestion
>>
>> I checked the case and there was not enough information.
>> Please provide sosreport there, and someone from support will pick it up soon.
>
> Or at least versions of 389-ds-base, nss, if you can't share any sosreports.
>>
>> Thanks!
>>>
>>>
>>> thanks
>>> --
>>> _______________________________________________
>>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>>> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>>
>>
>>
>> --
>> Viktor
>
>
>
> --
> Viktor
> --
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Viktor
[389-users] Re: SSL error after upgrade
389-ds is 2.6.1-12.el9_6
nss-3.112.0-4.el9_4
On Thu, Nov 6, 2025 at 2:56 PM Viktor Ashirov via 389-users
<389-users@lists.fedoraproject.org> wrote:
>
>
>
> On Thu, Nov 6, 2025 at 3:54 PM Viktor Ashirov <vashirov@redhat.com> wrote:
>>
>> Hi Michael,
>>
>> On Thu, Nov 6, 2025 at 3:19 PM Michael DiDomenico via 389-users <389-users@lists.fedoraproject.org> wrote:
>>>
>>> we upgraded from rhel9.5 to 9.6 and now our 389ds server is throwing this error
>>>
>>> ERR Security Initialization SSL failure: Security Initialization -
>>> slapd_ssl_init2 - Failed to set SSL range: min: TLS1.0, max: TLS1.0 -
>>> error -8190 (security library: received bad data)
>>>
>>> as far as i can tell ldap on port 389 is still working, so it's only
>>> affecting the TLS side of things, but i can't seem to figure out
>>> what's gone wrong.
>>>
>>> i have a case open with redhat, but maybe someone here might have a suggestion
>>
>> I checked the case and there was not enough information.
>> Please provide sosreport there, and someone from support will pick it up soon.
>
> Or at least versions of 389-ds-base, nss, if you can't share any sosreports.
>>
>> Thanks!
>>>
>>>
>>> thanks
>>> --
>>> _______________________________________________
>>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>>> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>>
>>
>>
>> --
>> Viktor
>
>
>
> --
> Viktor
> --
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
nss-3.112.0-4.el9_4
On Thu, Nov 6, 2025 at 2:56 PM Viktor Ashirov via 389-users
<389-users@lists.fedoraproject.org> wrote:
>
>
>
> On Thu, Nov 6, 2025 at 3:54 PM Viktor Ashirov <vashirov@redhat.com> wrote:
>>
>> Hi Michael,
>>
>> On Thu, Nov 6, 2025 at 3:19 PM Michael DiDomenico via 389-users <389-users@lists.fedoraproject.org> wrote:
>>>
>>> we upgraded from rhel9.5 to 9.6 and now our 389ds server is throwing this error
>>>
>>> ERR Security Initialization SSL failure: Security Initialization -
>>> slapd_ssl_init2 - Failed to set SSL range: min: TLS1.0, max: TLS1.0 -
>>> error -8190 (security library: received bad data)
>>>
>>> as far as i can tell ldap on port 389 is still working, so it's only
>>> affecting the TLS side of things, but i can't seem to figure out
>>> what's gone wrong.
>>>
>>> i have a case open with redhat, but maybe someone here might have a suggestion
>>
>> I checked the case and there was not enough information.
>> Please provide sosreport there, and someone from support will pick it up soon.
>
> Or at least versions of 389-ds-base, nss, if you can't share any sosreports.
>>
>> Thanks!
>>>
>>>
>>> thanks
>>> --
>>> _______________________________________________
>>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>>> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>>
>>
>>
>> --
>> Viktor
>
>
>
> --
> Viktor
> --
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[389-users] Re: SSL error after upgrade
thanks, i was able to fix the error by setting tls max from TLS1.3 to
TLS1.2. i can now query on the TLS port, however, replication status
is now "In synchroinzation". unfortunately nothing's popping in the
error log
On Thu, Nov 6, 2025 at 2:48 PM Mark Reynolds <mareynol@redhat.com> wrote:
>
> Hi Michael,
>
> Can you run this command (replace INSTANCE with your instance's name),
> and share what it displays:
>
> # dsconf slapd-INSTANCE security get
>
> Does this work or fail? We don't need to see the output unless it fails
>
> # dsconf slapd-INSTANCE security key list
>
> Thanks,
>
> Mark
>
>
> On 11/6/25 9:18 AM, Michael DiDomenico via 389-users wrote:
> > we upgraded from rhel9.5 to 9.6 and now our 389ds server is throwing this error
> >
> > ERR Security Initialization SSL failure: Security Initialization -
> > slapd_ssl_init2 - Failed to set SSL range: min: TLS1.0, max: TLS1.0 -
> > error -8190 (security library: received bad data)
> >
> > as far as i can tell ldap on port 389 is still working, so it's only
> > affecting the TLS side of things, but i can't seem to figure out
> > what's gone wrong.
> >
> > i have a case open with redhat, but maybe someone here might have a suggestion
> >
> > thanks
>
> --
> Identity Management Development Team
>
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
TLS1.2. i can now query on the TLS port, however, replication status
is now "In synchroinzation". unfortunately nothing's popping in the
error log
On Thu, Nov 6, 2025 at 2:48 PM Mark Reynolds <mareynol@redhat.com> wrote:
>
> Hi Michael,
>
> Can you run this command (replace INSTANCE with your instance's name),
> and share what it displays:
>
> # dsconf slapd-INSTANCE security get
>
> Does this work or fail? We don't need to see the output unless it fails
>
> # dsconf slapd-INSTANCE security key list
>
> Thanks,
>
> Mark
>
>
> On 11/6/25 9:18 AM, Michael DiDomenico via 389-users wrote:
> > we upgraded from rhel9.5 to 9.6 and now our 389ds server is throwing this error
> >
> > ERR Security Initialization SSL failure: Security Initialization -
> > slapd_ssl_init2 - Failed to set SSL range: min: TLS1.0, max: TLS1.0 -
> > error -8190 (security library: received bad data)
> >
> > as far as i can tell ldap on port 389 is still working, so it's only
> > affecting the TLS side of things, but i can't seem to figure out
> > what's gone wrong.
> >
> > i have a case open with redhat, but maybe someone here might have a suggestion
> >
> > thanks
>
> --
> Identity Management Development Team
>
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[389-users] Re: SSL error after upgrade
On Thu, Nov 6, 2025 at 3:54 PM Viktor Ashirov <vashirov@redhat.com> wrote:
Hi Michael,On Thu, Nov 6, 2025 at 3:19 PM Michael DiDomenico via 389-users <389-users@lists.fedoraproject.org> wrote:we upgraded from rhel9.5 to 9.6 and now our 389ds server is throwing this error
ERR Security Initialization SSL failure: Security Initialization -
slapd_ssl_init2 - Failed to set SSL range: min: TLS1.0, max: TLS1.0 -
error -8190 (security library: received bad data)
as far as i can tell ldap on port 389 is still working, so it's only
affecting the TLS side of things, but i can't seem to figure out
what's gone wrong.
i have a case open with redhat, but maybe someone here might have a suggestionI checked the case and there was not enough information.Please provide sosreport there, and someone from support will pick it up soon.
Or at least versions of 389-ds-base, nss, if you can't share any sosreports.
Thanks!
thanks
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--Viktor
Viktor
[389-users] Re: SSL error after upgrade
Hi Michael,
On Thu, Nov 6, 2025 at 3:19 PM Michael DiDomenico via 389-users <389-users@lists.fedoraproject.org> wrote:
we upgraded from rhel9.5 to 9.6 and now our 389ds server is throwing this error
ERR Security Initialization SSL failure: Security Initialization -
slapd_ssl_init2 - Failed to set SSL range: min: TLS1.0, max: TLS1.0 -
error -8190 (security library: received bad data)
as far as i can tell ldap on port 389 is still working, so it's only
affecting the TLS side of things, but i can't seem to figure out
what's gone wrong.
i have a case open with redhat, but maybe someone here might have a suggestion
I checked the case and there was not enough information.
Please provide sosreport there, and someone from support will pick it up soon.
Thanks!
thanks
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Viktor
[389-users] Re: SSL error after upgrade
Hi Michael,
Can you run this command (replace INSTANCE with your instance's name),
and share what it displays:
# dsconf slapd-INSTANCE security get
Does this work or fail? We don't need to see the output unless it fails
# dsconf slapd-INSTANCE security key list
Thanks,
Mark
On 11/6/25 9:18 AM, Michael DiDomenico via 389-users wrote:
> we upgraded from rhel9.5 to 9.6 and now our 389ds server is throwing this error
>
> ERR Security Initialization SSL failure: Security Initialization -
> slapd_ssl_init2 - Failed to set SSL range: min: TLS1.0, max: TLS1.0 -
> error -8190 (security library: received bad data)
>
> as far as i can tell ldap on port 389 is still working, so it's only
> affecting the TLS side of things, but i can't seem to figure out
> what's gone wrong.
>
> i have a case open with redhat, but maybe someone here might have a suggestion
>
> thanks
--
Identity Management Development Team
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Can you run this command (replace INSTANCE with your instance's name),
and share what it displays:
# dsconf slapd-INSTANCE security get
Does this work or fail? We don't need to see the output unless it fails
# dsconf slapd-INSTANCE security key list
Thanks,
Mark
On 11/6/25 9:18 AM, Michael DiDomenico via 389-users wrote:
> we upgraded from rhel9.5 to 9.6 and now our 389ds server is throwing this error
>
> ERR Security Initialization SSL failure: Security Initialization -
> slapd_ssl_init2 - Failed to set SSL range: min: TLS1.0, max: TLS1.0 -
> error -8190 (security library: received bad data)
>
> as far as i can tell ldap on port 389 is still working, so it's only
> affecting the TLS side of things, but i can't seem to figure out
> what's gone wrong.
>
> i have a case open with redhat, but maybe someone here might have a suggestion
>
> thanks
--
Identity Management Development Team
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Subscribe to:
Comments (Atom)