diff --git a/0009-Issue-6561-TLS-1.2-stickiness-in-FIPS-mode.patch b/0009-Issue-6561-TLS-1.2-stickiness-in-FIPS-mode.patch new file mode 100644 index 0000000..93fef39 --- /dev/null +++ b/0009-Issue-6561-TLS-1.2-stickiness-in-FIPS-mode.patch @@ -0,0 +1,38 @@ +From 116b7cf21618ad7e717ae7f535709508a824f7d9 Mon Sep 17 00:00:00 2001 +From: Viktor Ashirov +Date: Thu, 13 Feb 2025 16:37:43 +0100 +Subject: [PATCH] Issue 6561 - TLS 1.2 stickiness in FIPS mode + +Description: +TLS 1.3 works with NSS in FIPS mode for quite some time now, +this restriction is no longer needed. + +Fixes: https://github.com/389ds/389-ds-base/issues/6561 + +Reviewed by: @mreynolds389 (Thanks!) +--- + ldap/servers/slapd/ssl.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c +index 94259efe7..84a7fb004 100644 +--- a/ldap/servers/slapd/ssl.c ++++ b/ldap/servers/slapd/ssl.c +@@ -1929,14 +1929,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) + */ + sslStatus = SSL_VersionRangeGet(pr_sock, &slapdNSSVersions); + if (sslStatus == SECSuccess) { +- if (slapdNSSVersions.max > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 && fipsMode) { +- /* +- * FIPS & NSS currently only support a max version of TLS1.2 +- * (although NSS advertises 1.3 as a max range in FIPS mode), +- * hopefully this code block can be removed soon... +- */ +- slapdNSSVersions.max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2; +- } + /* Reset request range */ + sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions); + if (sslStatus == SECSuccess) { +-- +2.48.1 + diff --git a/389-ds-base.spec b/389-ds-base.spec index 3845ab8..1128df8 100644 --- a/389-ds-base.spec +++ b/389-ds-base.spec @@ -47,7 +47,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (base) Name: 389-ds-base Version: 2.6.1 -Release: 3%{?dist} +Release: 4%{?dist} License: GPL-3.0-or-later WITH GPL-3.0-389-ds-base-exception AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSD-2-Clause OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-3.0 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0 URL: https://www.port389.org Conflicts: selinux-policy-base < 3.9.8 @@ -478,6 +478,7 @@ Patch: 0005-Issue-6566-RI-plugin-failure-to-handle-a-modrdn-for-.patc Patch: 0006-Issue-6258-Mitigate-race-condition-in-paged_results_.patch Patch: 0007-Issue-6229-After-an-initial-failure-subsequent-onlin.patch Patch: 0008-Issue-6554-During-import-of-entries-without-nsUnique.patch +Patch: 0009-Issue-6561-TLS-1.2-stickiness-in-FIPS-mode.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -920,6 +921,9 @@ exit 0 %endif %changelog +* Wed Feb 19 2025 Viktor Ashirov - 2.6.1-4 +- Resolves: RHEL-78722 - Failed to set sslversionmax to TLS1.3 in FIPS mode with dsconf $INSTANCE security set --tls-protocol-max TLS1.3 + * Wed Feb 12 2025 Viktor Ashirov - 2.6.1-3 - Resolves: RHEL-18333 Can't rename users member of automember rule - Resolves: RHEL-61341 After an initial failure, subsequent online backups will not work.