Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upGitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
[Backport][ipa-4-8] Enable TLS 1.3 support #3972
Conversation
urllib3 now supports post-handshake authentication with TLS 1.3. Enable TLS 1.3 support for Apache HTTPd. The update depends on bug fixes for TLS 1.3 PHA support in urllib3 and Apache HTTPd. New builds are available in freeipa-master COPR and in F30/F31. Overwrite crypto-policy on Fedora only. Fedora 31 and earlier have TLS 1.0 and 1.1 still enabled by default. Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Fedora 30 update FEDORA-2019-d54e892077 httpd-2.4.41-6.1.fc30 Fedora 31 update FEDORA-2019-ae1dd32c5f httpd-2.4.41-9.fc31 RHEL 8.2 RHEA-2019:47297-02 httpd-2.4.37-21 Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Client connections no longer override TLS version range and ciphers by default. Instead clients use the default settings from the system's crypto policy. Minimum TLS version is now TLS 1.2. The default crypto policy on RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as minimum version. The minimum version is configured with OpenSSL 1.1.1 APIs. Python 3.6 lacks the setters to override the system policy. The effective minimum version is always TLS 1.2, because FreeIPA reconfigures Apache HTTPd on Fedora. Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
Backport ACK Manual backport was merely required because the tool didn't work. The cherry picks applied cleanly. |
Manual backport of PR #3911