[Freeipa-devel] [PATCH] 1111 Use NSS protocol range setter

Mon Nov 24 14:59:30 UTC 2014

Jan Cholasta wrote:
> Dne 21.11.2014 v 16:09 Rob Crittenden napsal(a):
>> Jan Cholasta wrote:
>>> Hi,
>>>
>>> Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a):
>>>> Use new capability in python-nss-0.16 to use the NSS protocol range
>>>> setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections.
>>>>
>>>> I made this configurable via tls_protocol_range in case somebody wants
>>>> to override it.
>>>>
>>>> There isn't a whole ton of error handling on bad input but there is
>>>> enough, I think, to point the user in the the right direction.
>>>>
>>>> Added a couple more lines of debug output to include the negotiated
>>>> protocol and cipher.
>>>>
>>>> rob
>>>
>>> 1) The patch needs a rebase on top of ipa-4-1 (applies fine on master)
>>
>> Attached.
>>
>>> 2) Could you split the option into two options, say "tls_version_min"
>>> and "tls_version_max"? IMO it would be easier to manage the version
>>> range that way, when for example you have to lower just the minimal
>>> version on a client to make it able to connect to a SSL3-only server.
>>
>> Sure. I waffled back and forth before deciding on a single value.
>> Separate values are probably less error-prone.
>>
>>> 3) Would it make sense to print a warning when the configured minimal
>>> TLS version is not safe and the connection uses a safe TLS version? This
>>> is for the case when you have to lower the minimal version on the client
>>> because of an old server, then the server gets updated, then you
>>> probably no longer want to have unsafe minimal version configured on the
>>> client.
>>
>> I see what you're saying but I think it could end up being just spam
>> that user's get used to. That and given that I'd probably want to set it
>> up to require tls1.1 as a minimum but we can't do that because dogtag
>> only supports through tls1.0 right now AFAICT. That'd be a lot of
>> warnings.
> 
> You are probably right about the spam. Nevermind then.
> 
>>
>>> Functionally the patch is OK.
>>
>> rob
>>
> 
> Thanks for the patch, ACK.
> 
> Fixed option names in commit message and pushed to:
> master: 5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c
> ipa-4-1: 8ef191448f0511b9c1749f47615437d649db0777
> 
> BTW before we can close the ticket, we are going to need a couple more
> fixes:
> 
> 1) Bump required versions of 389-ds-base, pki-core and openldap, once
> the necessary fixes are available.

Right, to be sure that POODLE is fully addressed.

> 
> 2) Configure mod_nss to also support TLS 1.2. It should be done on both
> server install and upgrade. This requires a new version of mod_nss.

mod_nss 1.0.10 in F-21 and rawhide should both support TLS 1.2 today.

mod_nss is also very tolerant of bad/unknown protocols. It won't blow up
on unknown protocols.

So if the given mod_nss doesn't support TLSv1.2 it will simply report an
error about an unknown protocol and configure the server for 1.0/1.1 if
configured as:

NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

rob