[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8917) OpenLDAP

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8917) OpenLDAP
From: mhonek@redhat.com
Date: Sat, 22 Sep 2018 20:56:52 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Thanks for the response Quanah. You're right they're mentioning "some"
LDAP server. And as you indirectly mentioned, with OpenSSL 1.0 the TLS
1.3 is not supported.

However, I believe TLS 1.3 already works with OpenLDAP and OpenSSL.
You might want to give a try to Docker image fedora:rawhide. I was
able to successfully establish TLS 1.3 connection ldapsearch<->slapd.
Tested with:
openldap-2.4.46-8.fc30.x86_64
openssl-1.1.1-0.pre9.2.fc30.x86_64

HTH

Best regards,
Matus
On Fri, Sep 21, 2018 at 8:23 PM Quanah Gibson-Mount <quanah@symas.com> wrot=
e:
>
> --On Friday, September 21, 2018 10:59 AM +0000 mhonek@redhat.com wrote:
>
> > Hi Nancy,
> >
> > I'm not aware of RHEL7 shipping with OpenSSL-1.1, OpenLDAP is linked
> > with openssl-1.0.2 there.
> >
> > Anyway, please report all issues related to TLS in OpenLDAP in Red Hat
> > products to Red Hat Support or Bugzilla, first.
>
> Based on what I read in their report, they have an LDAP server (not
> OpenLDAP) that has TLS 1.3 support, and the ldapsearch binaries on their
> RedHat system won't negotiate TLS 1.3 with that server.  This is not
> surprising, as TLS 1.3 support in OpenSSL is only in the 1.1.1 release
> series and OpenLDAP is not yet updated to link to OpenSSL 1.1.1 (See
> ITS#8914).  I'm currently examining what's necessary for such support.  I
> would not expect any OpenLDAP based ldapsearch binary to be able to
> negotiate TLS 1.3 at this time, and I definitely wouldn't expect any Linu=
x
> distribution OpenLDAP based ldapsearch binary to support it for quite som=
e
> time.  GnuTLS also only recently added TLS 1.3 support in the 3.6.3 relea=
se
> as of July 2018, so this would not work in debian based distributions
> either unless running the very bleeding edge.
>
> Warm regards,
> Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>


--=20
Mat=C3=BA=C5=A1 Hon=C4=9Bk
Software Engineer
Red Hat Czech

Prev by Date: (ITS#8919) common.c:2329: suspicious expression ?
Next by Date: Re: (ITS#8917) OpenLDAP
Index(es):
- Chronological
- Thread