From 116b7cf21618ad7e717ae7f535709508a824f7d9 Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Thu, 13 Feb 2025 16:37:43 +0100
Subject: [PATCH] Issue 6561 - TLS 1.2 stickiness in FIPS mode

Description:
TLS 1.3 works with NSS in FIPS mode for quite some time now,
this restriction is no longer needed.

Fixes: https://github.com/389ds/389-ds-base/issues/6561

Reviewed by: @mreynolds389 (Thanks!)
---
 ldap/servers/slapd/ssl.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 94259efe7..84a7fb004 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1929,14 +1929,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
      */
     sslStatus = SSL_VersionRangeGet(pr_sock, &slapdNSSVersions);
     if (sslStatus == SECSuccess) {
-        if (slapdNSSVersions.max > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 && fipsMode) {
-            /*
-             * FIPS & NSS currently only support a max version of TLS1.2
-             * (although NSS advertises 1.3 as a max range in FIPS mode),
-             * hopefully this code block can be removed soon...
-             */
-            slapdNSSVersions.max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
-        }
         /* Reset request range */
         sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);
         if (sslStatus == SECSuccess) {
-- 
2.48.1