[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8917) OpenLDAP
--On Friday, September 21, 2018 10:59 AM +0000 mhonek@redhat.com wrote:
> Hi Nancy,
>
> I'm not aware of RHEL7 shipping with OpenSSL-1.1, OpenLDAP is linked
> with openssl-1.0.2 there.
>
> Anyway, please report all issues related to TLS in OpenLDAP in Red Hat
> products to Red Hat Support or Bugzilla, first.
Based on what I read in their report, they have an LDAP server (not
OpenLDAP) that has TLS 1.3 support, and the ldapsearch binaries on their
RedHat system won't negotiate TLS 1.3 with that server. This is not
surprising, as TLS 1.3 support in OpenSSL is only in the 1.1.1 release
series and OpenLDAP is not yet updated to link to OpenSSL 1.1.1 (See
ITS#8914). I'm currently examining what's necessary for such support. I
would not expect any OpenLDAP based ldapsearch binary to be able to
negotiate TLS 1.3 at this time, and I definitely wouldn't expect any Linux
distribution OpenLDAP based ldapsearch binary to support it for quite some
time. GnuTLS also only recently added TLS 1.3 support in the 3.6.3 release
as of July 2018, so this would not work in debian based distributions
either unless running the very bleeding edge.
Warm regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>