On 06/18/2017 07:41 AM, Mark Reynolds wrote:
The following wiki pages now contain the complete SSL version range information:On 06/17/2017 10:46 PM, dave_horton2001@hotmail.com wrote:Hi Mark, I can confirm removing it from adm.conf prevents it working. Adding it back, it works again. Possibly there's another means that normally ensures the correct range is set for the config DS connection? The function returning the error that shows up in the log with the debug build is this 'ssl3_CheckRangeValidAndConstrainByPolicy' in 'nss/lib/ssl/sslsock.c'. Following the call stack, ADMSSL_Init calls initNSS which in turn calls SSL_VersionRangeSetDefault (again in 'nss/lib/ssl/sslsock.c'). This takes an initial range as input and checks and constrains it (calling ssl3_CheckRangeValidAndConstrainByPolicy which generates the error). That initial range passed to SSL_VersionRangeSetDefault comes from the following in initNSS: range.min = admldapGetSSLMin(info); range.max = admldapGetSSLMax(info);My bad, yeah it's in the 389-adminutil package source code. I was previously looking in the 389-admin source. Updating the wiki...
http://www.port389.org/docs/389ds/howto/howto-ssl.html
http://www.port389.org/docs/389ds/howto/howto-disable-sslv3.html http://www.port389.org/docs/389ds/administration/adminserver.html Thanks Dave, Mark
Thanks, MarkTracing back, that info was the AdmldapInfo constructed for the config connection which came from adm.conf. So that was what led me to attempt adding the entries to adm.conf which seemed to do the trick. Hope that helps. David _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
No comments:
Post a Comment