[Freeipa-devel] [PATCH] 1111 Use NSS protocol range setter

Rob Crittenden rcritten at redhat.com
Fri Nov 21 15:09:51 UTC 2014 

Jan Cholasta wrote:
> Hi,
> 
> Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a):
>> Use new capability in python-nss-0.16 to use the NSS protocol range
>> setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections.
>>
>> I made this configurable via tls_protocol_range in case somebody wants
>> to override it.
>>
>> There isn't a whole ton of error handling on bad input but there is
>> enough, I think, to point the user in the the right direction.
>>
>> Added a couple more lines of debug output to include the negotiated
>> protocol and cipher.
>>
>> rob
> 
> 1) The patch needs a rebase on top of ipa-4-1 (applies fine on master)

Attached.

> 2) Could you split the option into two options, say "tls_version_min"
> and "tls_version_max"? IMO it would be easier to manage the version
> range that way, when for example you have to lower just the minimal
> version on a client to make it able to connect to a SSL3-only server.

Sure. I waffled back and forth before deciding on a single value.
Separate values are probably less error-prone.

> 3) Would it make sense to print a warning when the configured minimal
> TLS version is not safe and the connection uses a safe TLS version? This
> is for the case when you have to lower the minimal version on the client
> because of an old server, then the server gets updated, then you
> probably no longer want to have unsafe minimal version configured on the
> client.

I see what you're saying but I think it could end up being just spam
that user's get used to. That and given that I'd probably want to set it
up to require tls1.1 as a minimum but we can't do that because dogtag
only supports through tls1.0 right now AFAICT. That'd be a lot of warnings.

> Functionally the patch is OK.

rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1111-2-4.1-protocol.patch
Type: text/x-patch
Size: 6726 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141121/2b9b980f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1111-2-protocol.patch
Type: text/x-patch
Size: 6699 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141121/2b9b980f/attachment-0001.bin>

More information about the Freeipa-devel mailing list