[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8924) Installed openldap2.4.46 and openssl1.1.1, the client and server still used TLS1.2 to negotiated
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8924) Installed openldap2.4.46 and openssl1.1.1, the client and server still used TLS1.2 to negotiated
- From: quanah@symas.com
- Date: Thu, 11 Oct 2018 17:31:07 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
--On Thursday, October 11, 2018 3:52 PM +0800 moyanan <nanmor@126.com>
wrote:
> I set the parameter in client: TLS_PROTOCOL_MIN 3.4, the client still
> start a client hello with TLS1.2, i doubt that the parameter not work in
> my configuration.
> here is my ldap.conf:
Hi Nancy,
I would suggest reading the man page for ldap.conf(5):
<http://www.openldap.org/software/man.cgi?query=ldap.conf&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html>
Some of the settings in the ldap.conf you provided do not seem valid.
Again, I'd confirm what SSL library the ldapsearch you're using is linked
to. (I.e., ldd /path/to/ldapsearch). I only see TLS 1.3 negotiated by
default in my build setup where both slapd and the ldap* tools are linked
to OpenSSL 1.1.1.
Per the ldap.conf(5) man page, the TLS_PROTOCOL_MIN parameter is ignored by
GnuTLS, which makes me wonder if you're using a GnuTLS linked ldapsearch
binary.
The ldap.conf file I'm using simply sets TLS_REQCERT never and no other
options configured.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>