Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS 1.2 stickiness in FIPS mode #6561

Open
abbra opened this issue Jan 30, 2025 · 3 comments
Open

TLS 1.2 stickiness in FIPS mode #6561

abbra opened this issue Jan 30, 2025 · 3 comments
Assignees
@mreynolds389
Labels
needs triage The issue will be triaged during scrum

Comments

@abbra
Copy link
Contributor

abbra commented Jan 30, 2025

Issue Description

https://github.com/389ds/389-ds-base/blob/main/ldap/servers/slapd/ssl.c#L1934 claims that NSS in FIPS mode does clip TLS by 1.2. This is not true for quite some time already.
@abbra abbra added the needs triage The issue will be triaged during scrum label Jan 30, 2025
@mreynolds389 mreynolds389 self-assigned this Jan 30, 2025
@tbordaz
Copy link
Contributor

tbordaz commented Jan 31, 2025

This was introduced 6 years ago here.

@abbra
Copy link
Contributor Author

abbra commented Jan 31, 2025

This is not true anymore, according to the RHEL crypto team. RHEL 9 or later has no such limitation in NSS. There is a limit in FIPS:OSPP policy which will be enforced through the policy but not by NSS itself.

These days we should expect TLS 1.3 everywhere.

@tbordaz
Copy link
Contributor

tbordaz commented Jan 31, 2025

An initial step would be to craft default maxversion to 1.3 and run the related testcase dirsrvtests/tests/suites/tls/ssl_version_test.py on FIPS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mreynolds389 mreynolds389

Labels
needs triage The issue will be triaged during scrum
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@abbra @mreynolds389 @tbordaz