stable

FEDORA-2018-3c9a52df10 created by mhonek 4 years ago for Fedora 28

Fix: Cannot use SSL3 anymore

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2018-3c9a52df10

This update has been submitted for testing by mhonek.

4 years ago

This update has been pushed to testing.

4 years ago
User Icon lobocode commented & provided feedback 4 years ago
karma

works

User Icon cserpentis commented & provided feedback 3 years ago
karma

works for me

The issue seems to be not fixed for i386 architecture. For the other it works.

openldap-2.4.46-2.fc28.i686

/etc/openldap/slapd.conf >>> include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database config rootdn cn=Manager,cn=config

password is 'x'

rootpw x

database bdb suffix dc=my-domain,dc=com rootdn "cn=Manager,dc=my-domain,dc=com"

password is 'x'

rootpw {SSHA}tOSmeQCcYIm1S9ujgpg2Km5rpUnR9dRB

directory /var/lib/ldap/ TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCertificateFile /etc/openldap/cacerts/server.crt TLSCertificateKeyFile /etc/openldap/cacerts/server.key TLSCACertificateFile /etc/openldap/cacerts/ca.crt TLSVerifyClient allow TLSProtocolMin 3.0 <<<<<<

openssl s_client -connect my-domain.com:636 -CAfile /etc/openldap/cacerts/ca.crt -ssl3

3080775424:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1407:SSL alert number 40 CONNECTED(00000003)


no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 66 bytes Verification: OK


New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1534768521 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no


Ok, take it back, all works, the system was not upgraded when I tested.

User Icon till commented & provided feedback 3 years ago
karma

ldapsearch still works

This update has been submitted for batched by bodhi.

3 years ago

This update has been submitted for stable by bodhi.

3 years ago

This update has been pushed to stable.

3 years ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
low
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
4 years ago
in testing
4 years ago
in stable
3 years ago
BZ#1592431 Cannot use SSL3 anymore
0
0

Automated Test Results