Bump version to 2.6.1-4

- Resolves: RHEL-78722 - Failed to set sslversionmax to TLS1.3 in FIPS mode with dsconf $INSTANCE security set --tls-protocol-max TLS1.3
2025-02-19 11:49:35 +01:00 · 2025-02-19 11:49:35 +01:00 · 7067c3bf34
commit 7067c3bf34
parent 728c3df389
2 changed files with 43 additions and 1 deletions
--- a/0009-Issue-6561-TLS-1.2-stickiness-in-FIPS-mode.patch
+++ b/0009-Issue-6561-TLS-1.2-stickiness-in-FIPS-mode.patch
@ -0,0 +1,38 @@
+From 116b7cf21618ad7e717ae7f535709508a824f7d9 Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Thu, 13 Feb 2025 16:37:43 +0100
+Subject: [PATCH] Issue 6561 - TLS 1.2 stickiness in FIPS mode
+
+Description:
+TLS 1.3 works with NSS in FIPS mode for quite some time now,
+this restriction is no longer needed.
+
+Fixes: https://github.com/389ds/389-ds-base/issues/6561
+
+Reviewed by: @mreynolds389 (Thanks!)
+---
+ ldap/servers/slapd/ssl.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
+index 94259efe7..84a7fb004 100644
+--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
+@@ -1929,14 +1929,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
+      */
+     sslStatus = SSL_VersionRangeGet(pr_sock, &slapdNSSVersions);
+     if (sslStatus == SECSuccess) {
+-        if (slapdNSSVersions.max > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 && fipsMode) {
+-            /*
+-             * FIPS & NSS currently only support a max version of TLS1.2
+-             * (although NSS advertises 1.3 as a max range in FIPS mode),
+-             * hopefully this code block can be removed soon...
+-             */
+-            slapdNSSVersions.max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
+-        }
+         /* Reset request range */
+         sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);
+         if (sslStatus == SECSuccess) {
+-- 
+2.48.1
+
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@ -47,7 +47,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
 Version:          2.6.1
-Release:          3%{?dist}
+Release:          4%{?dist}
 License:          GPL-3.0-or-later WITH GPL-3.0-389-ds-base-exception AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSD-2-Clause OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-3.0 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0
 URL:              https://www.port389.org
 Conflicts:        selinux-policy-base < 3.9.8
@ -478,6 +478,7 @@ Patch:            0005-Issue-6566-RI-plugin-failure-to-handle-a-modrdn-for-.patc
 Patch:            0006-Issue-6258-Mitigate-race-condition-in-paged_results_.patch
 Patch:            0007-Issue-6229-After-an-initial-failure-subsequent-onlin.patch
 Patch:            0008-Issue-6554-During-import-of-entries-without-nsUnique.patch
+Patch:            0009-Issue-6561-TLS-1.2-stickiness-in-FIPS-mode.patch

 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@ -920,6 +921,9 @@ exit 0
 %endif

 %changelog
+* Wed Feb 19 2025 Viktor Ashirov <vashirov@redhat.com> - 2.6.1-4
+- Resolves: RHEL-78722 - Failed to set sslversionmax to TLS1.3 in FIPS mode with dsconf $INSTANCE security set --tls-protocol-max TLS1.3
+
 * Wed Feb 12 2025 Viktor Ashirov <vashirov@redhat.com> - 2.6.1-3
 - Resolves: RHEL-18333 Can't rename users member of automember rule
 - Resolves: RHEL-61341 After an initial failure, subsequent online backups will not work.