On 03/29/2016 04:42 PM, Adam Bishop wrote: > On 29 Mar 2016, at 14:29, Adam Bishop <[email protected]> wrote: >> I could use a bit of help resolving this - full client debug follows. Both >> systems are running nss 3.19.1 which *should* support TLS1.2., so I'm unsure >> where to start fixing this. > > Turns out to be a little easier to solve than I thought; the CentOS 6 client > was running an older version of NSS than I thought it was. > > ipa-client-3.0.0-47.el6.centos.1.x86_64 defaults to requiring tls1.2 , but > does not depend on a version of NSS that actually supports tls1.2.
I do not think it *requires* TLS 1.2, rather allows the said range - from TLS 1.0 to 1.2. This is the bug where the change was made: https://bugzilla.redhat.com/show_bug.cgi?id=1154687 If an NSS Requires was not bumped properly (IIRC, we bumped just python-nss Requires), it sounds as a bug. Bugzilla welcome! Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
