Use NSS protocol range API to set available TLS protocols

Protocols are configured as an inclusive range from SSLv3 through TLSv1.2. The allowed values in the range are ssl3, tls1.0, tls1.1 and tls1.2. This is overridable per client by setting tls_version_min and/or tls_version_max. https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
author: Rob Crittenden <rcritten@redhat.com> 2014-10-30 11:52:14 -0400
committer: Jan Cholasta <jcholast@redhat.com> 2014-11-24 13:09:44 +0000
commit: 5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c (patch)
tree: 1a87eeb179772b5be2db9b32474099ac8164bac8 /ipalib/constants.py
parent: aa9ecb253a60d9d15cd41c5c38695fe64058669a (diff)
download: freeipa-5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c.tar.gz
freeipa-5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c.tar.xz
freeipa-5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 325414b64..df31a2088 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -122,6 +122,10 @@ DEFAULT_CONFIG = (
 
     ('rpc_protocol', 'jsonrpc'),
 
+    # Define an inclusive range of SSL/TLS version support
+    ('tls_version_min', 'tls1.0'),
+    ('tls_version_max', 'tls1.2'),
+
     # Time to wait for a service to start, in seconds
     ('startup_timeout', 300),
author	Rob Crittenden <rcritten@redhat.com>	2014-10-30 11:52:14 -0400
committer	Jan Cholasta <jcholast@redhat.com>	2014-11-24 13:09:44 +0000
commit	5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c (patch)
tree	1a87eeb179772b5be2db9b32474099ac8164bac8 /ipalib/constants.py
parent	aa9ecb253a60d9d15cd41c5c38695fe64058669a (diff)
download	freeipa-5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c.tar.gz freeipa-5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c.tar.xz freeipa-5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c.zip