[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8924) Installed openldap2.4.46 and openssl1.1.1, the client and server still used TLS1.2 to negotiated

Full_Name: Nancy Mo
Version: openldap-clients-2.4.46
OS: Redhat 7, ubuntu
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

openldap Client: Ubuntu 16.04.4 LTS/
                 openldap 2.4.46/
openldap Server: redhat 7, Linux 3.10.0-327.13.1.el7.x86_64 #1 SMP Mon Feb 29
13:22:02 EST 2016 x86_64 x86_64 x86_64 GNU/Linux

In Client, configure ldap.conf: 
# LDAP Defaults

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
URI     ldap://mydomain.com:389 ldaps://mydomain.com:636

ssl start_tls
TLS_CACERTDIR  /usr/local/etc/openldap/cacerts
TLS_CACERT /usr/local/etc/openldap/cacerts/cacert.pem
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
BASE cn=localhost
debug 9
local4.*            /var/log/ldap.log

In server: configure the slapd.conf (some important configuration)
database        mdb
maxsize         1073741824
suffix          "dc=mydomain,dc=com"
rootdn          "cn=Manager,dc=mydomain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}srNLpYqpwEpRTw94IV79Myw5YO6rn0Ym
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/openldap.2.4.46/var/openldap-data

TLSCACertificateFile /usr/local/openldap.2.4.46/etc/openldap/cacerts/cacert.pem
TLSCertificateFile /usr/local/openldap.2.4.46/etc/openldap/ldap.crt
TLSCertificateKeyFile /usr/local/openldap.2.4.46/etc/openldap/ldap.key

>From client connect to server: 
ldapsearch -x  -H ldaps://mydomain.com:636  -D cn=Manager,dc=mydomain,dc=com  -w
passw0rd -b ""  -s base objectclass=*

We can get the result, but from Wireshark result, we find that they used TLS1.2
to negotiated.

The openSSL is support for TLS1.3,however openldap-2.4.46 is still used TLS1.2
by default. Need some parameters to specify TLS1.3 in openldap configuration? 

By the way, I have tested that other application can negotiated with TLS1.3 by
default when the client and server both use openssl-1.1.1. 

Thanks a lot.

Best regards,

nancy Mo