[Freeipa-devel] [PATCH] 1111 Use NSS protocol range setter
Jan Cholasta
jcholast at redhat.com
Fri Nov 21 13:49:45 UTC 2014
Hi,
Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a):
> Use new capability in python-nss-0.16 to use the NSS protocol range
> setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections.
>
> I made this configurable via tls_protocol_range in case somebody wants
> to override it.
>
> There isn't a whole ton of error handling on bad input but there is
> enough, I think, to point the user in the the right direction.
>
> Added a couple more lines of debug output to include the negotiated
> protocol and cipher.
>
> rob
1) The patch needs a rebase on top of ipa-4-1 (applies fine on master)
2) Could you split the option into two options, say "tls_version_min"
and "tls_version_max"? IMO it would be easier to manage the version
range that way, when for example you have to lower just the minimal
version on a client to make it able to connect to a SSL3-only server.
3) Would it make sense to print a warning when the configured minimal
TLS version is not safe and the connection uses a safe TLS version? This
is for the case when you have to lower the minimal version on the client
because of an old server, then the server gets updated, then you
probably no longer want to have unsafe minimal version configured on the
client.
Functionally the patch is OK.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list