[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8917) OpenLDAP

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8917) OpenLDAP
From: quanah@symas.com
Date: Fri, 21 Sep 2018 18:23:48 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

--On Friday, September 21, 2018 10:59 AM +0000 mhonek@redhat.com wrote:

> Hi Nancy,
>
> I'm not aware of RHEL7 shipping with OpenSSL-1.1, OpenLDAP is linked
> with openssl-1.0.2 there.
>
> Anyway, please report all issues related to TLS in OpenLDAP in Red Hat
> products to Red Hat Support or Bugzilla, first.

Based on what I read in their report, they have an LDAP server (not 
OpenLDAP) that has TLS 1.3 support, and the ldapsearch binaries on their 
RedHat system won't negotiate TLS 1.3 with that server.  This is not 
surprising, as TLS 1.3 support in OpenSSL is only in the 1.1.1 release 
series and OpenLDAP is not yet updated to link to OpenSSL 1.1.1 (See 
ITS#8914).  I'm currently examining what's necessary for such support.  I 
would not expect any OpenLDAP based ldapsearch binary to be able to 
negotiate TLS 1.3 at this time, and I definitely wouldn't expect any Linux 
distribution OpenLDAP based ldapsearch binary to support it for quite some 
time.  GnuTLS also only recently added TLS 1.3 support in the 3.6.3 release 
as of July 2018, so this would not work in debian based distributions 
either unless running the very bleeding edge.

Warm regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Prev by Date: Re: (ITS#8917) OpenLDAP
Next by Date: Re: (ITS#8914) OpenLDAP and OpenSSL v1.1.1
Index(es):
- Chronological
- Thread