[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8924) Installed openldap2.4.46 and openssl1.1.1, the client and server still used TLS1.2 to negotiated



--On Thursday, October 11, 2018 3:52 PM +0800 moyanan <nanmor@126.com> 
wrote:

> I set the parameter in client: TLS_PROTOCOL_MIN 3.4, the client still
> start a client hello with TLS1.2, i doubt that the parameter not work in
> my configuration.
> here is my ldap.conf:

Hi Nancy,

I would suggest reading the man page for ldap.conf(5):

<http://www.openldap.org/software/man.cgi?query=ldap.conf&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html>

Some of the settings in the ldap.conf you provided do not seem valid.

Again, I'd confirm what SSL library the ldapsearch you're using is linked 
to.  (I.e., ldd /path/to/ldapsearch).  I only see TLS 1.3 negotiated by 
default in my build setup where both slapd and the ldap* tools are linked 
to OpenSSL 1.1.1.

Per the ldap.conf(5) man page, the TLS_PROTOCOL_MIN parameter is ignored by 
GnuTLS, which makes me wonder if you're using a GnuTLS linked ldapsearch 
binary.

The ldap.conf file I'm using simply sets TLS_REQCERT never and no other 
options configured.

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>