[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#8924) Installed openldap2.4.46 and openssl1.1.1, the client and server still used TLS1.2 to negotiated
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#8924) Installed openldap2.4.46 and openssl1.1.1, the client and server still used TLS1.2 to negotiated
- From: nanmor@126.com
- Date: Tue, 09 Oct 2018 09:02:32 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Nancy Mo
Version: openldap-clients-2.4.46
OS: Redhat 7, ubuntu
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (106.38.0.87)
openldap Client: Ubuntu 16.04.4 LTS/
openldap 2.4.46/
openssl-1.1.1
openldap Server: redhat 7, Linux 3.10.0-327.13.1.el7.x86_64 #1 SMP Mon Feb 29
13:22:02 EST 2016 x86_64 x86_64 x86_64 GNU/Linux
openldap2.4.46/
openssl-1.1.1
In Client, configure ldap.conf:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
URI ldap://mydomain.com:389 ldaps://mydomain.com:636
ssl start_tls
TLS_CACERTDIR /usr/local/etc/openldap/cacerts
TLS_CACERT /usr/local/etc/openldap/cacerts/cacert.pem
TLS_REQCERT never
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
SASL_NOCANON on
BASE cn=localhost
debug 9
local4.* /var/log/ldap.log
In server: configure the slapd.conf (some important configuration)
database mdb
maxsize 1073741824
suffix "dc=mydomain,dc=com"
rootdn "cn=Manager,dc=mydomain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}srNLpYqpwEpRTw94IV79Myw5YO6rn0Ym
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openldap.2.4.46/var/openldap-data
TLSCACertificateFile /usr/local/openldap.2.4.46/etc/openldap/cacerts/cacert.pem
TLSCertificateFile /usr/local/openldap.2.4.46/etc/openldap/ldap.crt
TLSCertificateKeyFile /usr/local/openldap.2.4.46/etc/openldap/ldap.key
>From client connect to server:
ldapsearch -x -H ldaps://mydomain.com:636 -D cn=Manager,dc=mydomain,dc=com -w
passw0rd -b "" -s base objectclass=*
We can get the result, but from Wireshark result, we find that they used TLS1.2
to negotiated.
The openSSL is support for TLS1.3,however openldap-2.4.46 is still used TLS1.2
by default. Need some parameters to specify TLS1.3 in openldap configuration?
By the way, I have tested that other application can negotiated with TLS1.3 by
default when the client and server both use openssl-1.1.1.
Thanks a lot.
Best regards,
nancy Mo