[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol

guenther+ldapdev@sendmail.com wrote:
> Full_Name: Philip Guenther
> Version:
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/guenther-080813.patch
> Submission from: (NULL) (
> It's time for SSL version 2.0 to die: it has numerous weaknesses and has been
> superseded by SSL version 3.0 and TLS version 1.0 for *years*.  Indeed, the LDAP
> Start_Tls extended operation is defined by reference to the TLS standard.
> (It could be argued that a client that sends an SSLv2-compatible handshake after
> doing Start_Tls is non-compliant, or at least non-interoperable, as servers are
> only required to support true TLS handshakes.)
> As a first step, here's a patch against the CVS trunk that adds the ability to
> set the minimum TLS/SSL protocol from the C API (LDAP_OPT_X_TLS_PROTOCOL_MIN),
> the ldap.conf (TLS_PROTOCOL_MIN), and the slapd config
> (TLSProtocolMin/olcTLSProtocolMin).  Possible settings are:
> C API ldap_[sg]et_option()             ldap.conf/slapd config
> -----------------------------------------------------------

Using an option flag for each protocol version seems excessive; it will be a 
recurring maintenance burden because each new option flag reflects an API 
change. (GnuTLS claims to already support TLSv1.2.)

This should use a single option flag and a numeric or bitfield argument for 
selecting protocols instead. Since we're talking about minimum settings, it 
should likely just be an increasing range of numbers.

I note that the on-the-wire protocol version is just a 16 bit integer; we 
could define protocol names that correspond directly to these values.

> (1.0, because TLSv1.1 is already published, even though OpenSSL doesn't support
> it yet)

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/