[Freeipa-devel] [PATCH] 1111 Use NSS protocol range setter

Tue Nov 25 08:35:33 UTC 2014

Dne 24.11.2014 v 15:59 Rob Crittenden napsal(a):
> Jan Cholasta wrote:
>> Dne 21.11.2014 v 16:09 Rob Crittenden napsal(a):
>>> Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a):
>>>>> Use new capability in python-nss-0.16 to use the NSS protocol range
>>>>> setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections.
>>>>>
>>>>> I made this configurable via tls_protocol_range in case somebody wants
>>>>> to override it.
>>>>>
>>>>> There isn't a whole ton of error handling on bad input but there is
>>>>> enough, I think, to point the user in the the right direction.
>>>>>
>>>>> Added a couple more lines of debug output to include the negotiated
>>>>> protocol and cipher.
>>>>>
>>>>> rob
>>>>
>>>> 1) The patch needs a rebase on top of ipa-4-1 (applies fine on master)
>>>
>>> Attached.
>>>
>>>> 2) Could you split the option into two options, say "tls_version_min"
>>>> and "tls_version_max"? IMO it would be easier to manage the version
>>>> range that way, when for example you have to lower just the minimal
>>>> version on a client to make it able to connect to a SSL3-only server.
>>>
>>> Sure. I waffled back and forth before deciding on a single value.
>>> Separate values are probably less error-prone.
>>>
>>>> 3) Would it make sense to print a warning when the configured minimal
>>>> TLS version is not safe and the connection uses a safe TLS version? This
>>>> is for the case when you have to lower the minimal version on the client
>>>> because of an old server, then the server gets updated, then you
>>>> probably no longer want to have unsafe minimal version configured on the
>>>> client.
>>>
>>> I see what you're saying but I think it could end up being just spam
>>> that user's get used to. That and given that I'd probably want to set it
>>> up to require tls1.1 as a minimum but we can't do that because dogtag
>>> only supports through tls1.0 right now AFAICT. That'd be a lot of
>>> warnings.
>>
>> You are probably right about the spam. Nevermind then.
>>
>>>
>>>> Functionally the patch is OK.
>>>
>>> rob
>>>
>>
>> Thanks for the patch, ACK.
>>
>> Fixed option names in commit message and pushed to:
>> master: 5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c
>> ipa-4-1: 8ef191448f0511b9c1749f47615437d649db0777
>>
>> BTW before we can close the ticket, we are going to need a couple more
>> fixes:
>>
>> 1) Bump required versions of 389-ds-base, pki-core and openldap, once
>> the necessary fixes are available.
>
> Right, to be sure that POODLE is fully addressed.

I will post a patch once we have all of them.

>
>>
>> 2) Configure mod_nss to also support TLS 1.2. It should be done on both
>> server install and upgrade. This requires a new version of mod_nss.
>
> mod_nss 1.0.10 in F-21 and rawhide should both support TLS 1.2 today.
>
> mod_nss is also very tolerant of bad/unknown protocols. It won't blow up
> on unknown protocols.
>
> So if the given mod_nss doesn't support TLSv1.2 it will simply report an
> error about an unknown protocol and configure the server for 1.0/1.1 if
> configured as:
>
> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

The attached patch 379 fixes this.

>
> rob
>

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-379-Add-TLS-1.2-to-the-protocol-list-in-mod_nss-config.patch
Type: text/x-patch
Size: 2777 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141125/fea87b0d/attachment.bin>