39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
From a71c12881604b5e37d64093aedd158aa112b39cc Mon Sep 17 00:00:00 2001
|
|
From: Viktor Ashirov <vashirov@redhat.com>
|
|
Date: Thu, 13 Feb 2025 16:37:43 +0100
|
|
Subject: [PATCH] Issue 6561 - TLS 1.2 stickiness in FIPS mode
|
|
|
|
Description:
|
|
TLS 1.3 works with NSS in FIPS mode for quite some time now,
|
|
this restriction is no longer needed.
|
|
|
|
Fixes: https://github.com/389ds/389-ds-base/issues/6561
|
|
|
|
Reviewed by: @mreynolds389 (Thanks!)
|
|
---
|
|
ldap/servers/slapd/ssl.c | 8 --------
|
|
1 file changed, 8 deletions(-)
|
|
|
|
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
|
|
index ef9e97fb9..329bd5c90 100644
|
|
--- a/ldap/servers/slapd/ssl.c
|
|
+++ b/ldap/servers/slapd/ssl.c
|
|
@@ -1914,14 +1914,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
|
|
*/
|
|
sslStatus = SSL_VersionRangeGet(pr_sock, &slapdNSSVersions);
|
|
if (sslStatus == SECSuccess) {
|
|
- if (slapdNSSVersions.max > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 && fipsMode) {
|
|
- /*
|
|
- * FIPS & NSS currently only support a max version of TLS1.2
|
|
- * (although NSS advertises 1.3 as a max range in FIPS mode),
|
|
- * hopefully this code block can be removed soon...
|
|
- */
|
|
- slapdNSSVersions.max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
|
|
- }
|
|
/* Reset request range */
|
|
sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);
|
|
if (sslStatus == SECSuccess) {
|
|
--
|
|
2.48.1
|
|
|