[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8924) Installed openldap2.4.46 and openssl1.1.1, the client and server still used TLS1.2 to negotiated



--Apple-Mail=_A57FFFE0-FA22-44A6-A24D-07E9ADC17D6A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi Quanah,

I=E2=80=99m afraid that the message will be encoded so that you can not =
see, so send again.=20

After I set a parameter in server:  TLSProtocolMin 3.4, restart the ldap =
server, it works that the server will not negotiated with lower TLS =
version.
I set the parameter in client: TLS_PROTOCOL_MIN 3.4, the client still =
start a client hello with TLS1.2, i doubt that the parameter not work in =
my configuration.
here is my ldap.conf:

ssl start_tls
TLS_CACERTDIR  /usr/local/etc/openldap/cacerts
TLS_CACERT /usr/local/etc/openldap/cacerts/cacert.pem
TLS_REQCERT never
TLS_PROTOCOL_MIN 3.4
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
SASL_NOCANON    on
BASE cn=3Dlocalhost
debug 9
local4.*            /var/log/ldap.log
I used "openssl s_client -connect mydomain.com:636 =
<http://mydomain.com:636/> -tls1_3"   to connect the same server from =
the same client, it will used TLS1.3 successfully. I think the openssl =
for TLS1.3 works well.=20

How can I make sure our client and server link to the openssl ?  And =
could you please  show your configuration about TLS in ldap.conf and =
slap.conf to me, if you are convenient.=20

Thanks a lot.

best regards=20
nancy


> On Oct 9, 2018, at 9:56 PM, Quanah Gibson-Mount <quanah@symas.com> =
wrote:
>=20
> --On Tuesday, October 09, 2018 10:02 AM +0000 nanmor@126.com wrote:
>=20
>> We can get the result, but from Wireshark result, we find that they =
used
>> TLS1.2 to negotiated.
>=20
> I do not find this to be the case with OpenLDAP 2.4.46.
>=20
>> The openSSL is support for TLS1.3,however openldap-2.4.46 is still =
used
>> TLS1.2 by default. Need some parameters to specify TLS1.3 in openldap
>> configuration?
>=20
> Nope.
>=20
>> By the way, I have tested that other application can negotiated with
>> TLS1.3 by default when the client and server both use openssl-1.1.1.
>=20
> That is the behavior I see.
>=20
> OpenLDAP 2.4.46 linked to OpenSSL 1.1.1 for both the client and =
server:
>=20
> 5bbcb282 connection_read(14): checking for input on id=3D1001
> TLS trace: SSL_accept:TLSv1.3 early data
> TLS trace: SSL_accept:SSLv3/TLS read finished
> TLS trace: SSL_accept:SSLv3/TLS write session ticket
> TLS trace: SSL_accept:SSLv3/TLS write session ticket
>=20
> Perhaps the ldapsearch you picked up was not the one linked to OpenSSL =
1.1.1.
>=20
> You may also want to read the slapd.conf(5) or slapd-config(5) man =
pages on how to set a minimum required TLS protocol version.
>=20
> Regards,
> Quanah
>=20
> --
>=20
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>


--Apple-Mail=_A57FFFE0-FA22-44A6-A24D-07E9ADC17D6A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><div =
style=3D"font-family: Arial; font-size: 14px;" class=3D"">Hi =
Quanah,</div><div style=3D"font-family: Arial; font-size: 14px;" =
class=3D""><br class=3D""></div><div style=3D"font-family: Arial; =
font-size: 14px;" class=3D"">I=E2=80=99m afraid that the message will be =
encoded so that you can not see, so send again.&nbsp;</div><div =
style=3D"font-family: Arial; font-size: 14px;" class=3D""><br =
class=3D""></div><div style=3D"font-family: Arial; font-size: 14px;" =
class=3D"">After I set a parameter in server:&nbsp; TLSProtocolMin 3.4, =
restart the ldap server, it works that the server will not negotiated =
with lower TLS version.<br class=3D""></div><div style=3D"font-family: =
Arial; font-size: 14px;" class=3D"">I set the parameter in client: =
TLS_PROTOCOL_MIN 3.4, the client still start a client hello with TLS1.2, =
i doubt that the parameter not work in my configuration.</div><div =
style=3D"font-family: Arial; font-size: 14px;" class=3D"">here is my =
ldap.conf:</div><div style=3D"font-family: Arial; font-size: 14px;" =
class=3D""><br class=3D"">ssl start_tls<br class=3D"">TLS_CACERTDIR&nbsp; =
/usr/local/etc/openldap/cacerts<br class=3D"">TLS_CACERT =
/usr/local/etc/openldap/cacerts/cacert.pem<br class=3D"">TLS_REQCERT =
never<br class=3D"">TLS_PROTOCOL_MIN 3.4<br =
class=3D"">#SIZELIMIT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 12<br =
class=3D"">#TIMELIMIT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 15<br =
class=3D"">#DEREF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
never<br class=3D"">SASL_NOCANON&nbsp;&nbsp;&nbsp; on<br class=3D"">BASE =
cn=3Dlocalhost<br class=3D"">debug 9<br =
class=3D"">local4.*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp; /var/log/ldap.log</div><div style=3D"font-family: Arial; =
font-size: 14px;" class=3D"">I used "openssl s_client -connect&nbsp;<a =
href=3D"http://mydomain.com:636"; =
class=3D"">mydomain.com:636</a>&nbsp;-tls1_3" &nbsp; to connect the same =
server from the same client, it will used TLS1.3 successfully. I think =
the openssl for TLS1.3 works well.&nbsp;<br class=3D""></div><div =
style=3D"font-family: Arial; font-size: 14px;" class=3D""><br =
class=3D""></div><div style=3D"font-family: Arial; font-size: 14px;" =
class=3D"">How can I make sure our client and server link to the openssl =
?&nbsp; And could you please&nbsp; show your configuration about TLS in =
ldap.conf and slap.conf to me, if you are convenient.&nbsp;<br =
class=3D""></div><div style=3D"font-family: Arial; font-size: 14px;" =
class=3D""><br class=3D""></div><div style=3D"font-family: Arial; =
font-size: 14px;" class=3D"">Thanks a lot.</div><div style=3D"font-family:=
 Arial; font-size: 14px;" class=3D""><br class=3D""></div><div =
style=3D"font-family: Arial; font-size: 14px;" class=3D"">best =
regards&nbsp;<br class=3D""></div><div style=3D"font-family: Arial; =
font-size: 14px;" class=3D"">nancy<br class=3D""></div><br =
style=3D"font-family: Arial; font-size: 14px;" class=3D""><div =
style=3D"font-family: Arial; font-size: 14px; position: relative; zoom: =
1;" class=3D""></div><div id=3D"divNeteaseMailCard" style=3D"font-family: =
Arial; font-size: 14px;" class=3D""></div><div><br class=3D""><blockquote =
type=3D"cite" class=3D""><div class=3D"">On Oct 9, 2018, at 9:56 PM, =
Quanah Gibson-Mount &lt;<a href=3D"mailto:quanah@symas.com"; =
class=3D"">quanah@symas.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div class=3D"">--On =
Tuesday, October 09, 2018 10:02 AM +0000 <a href=3D"mailto:nanmor@126.com"=
 class=3D"">nanmor@126.com</a> wrote:<br class=3D""><br =
class=3D""><blockquote type=3D"cite" class=3D"">We can get the result, =
but from Wireshark result, we find that they used<br class=3D"">TLS1.2 =
to negotiated.<br class=3D""></blockquote><br class=3D"">I do not find =
this to be the case with OpenLDAP 2.4.46.<br class=3D""><br =
class=3D""><blockquote type=3D"cite" class=3D"">The openSSL is support =
for TLS1.3,however openldap-2.4.46 is still used<br class=3D"">TLS1.2 by =
default. Need some parameters to specify TLS1.3 in openldap<br =
class=3D"">configuration?<br class=3D""></blockquote><br =
class=3D"">Nope.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D"">By the way, I have tested that other application can =
negotiated with<br class=3D"">TLS1.3 by default when the client and =
server both use openssl-1.1.1.<br class=3D""></blockquote><br =
class=3D"">That is the behavior I see.<br class=3D""><br =
class=3D"">OpenLDAP 2.4.46 linked to OpenSSL 1.1.1 for both the client =
and server:<br class=3D""><br class=3D"">5bbcb282 connection_read(14): =
checking for input on id=3D1001<br class=3D"">TLS trace: =
SSL_accept:TLSv1.3 early data<br class=3D"">TLS trace: =
SSL_accept:SSLv3/TLS read finished<br class=3D"">TLS trace: =
SSL_accept:SSLv3/TLS write session ticket<br class=3D"">TLS trace: =
SSL_accept:SSLv3/TLS write session ticket<br class=3D""><br =
class=3D"">Perhaps the ldapsearch you picked up was not the one linked =
to OpenSSL 1.1.1.<br class=3D""><br class=3D"">You may also want to read =
the slapd.conf(5) or slapd-config(5) man pages on how to set a minimum =
required TLS protocol version.<br class=3D""><br class=3D"">Regards,<br =
class=3D"">Quanah<br class=3D""><br class=3D"">--<br class=3D""><br =
class=3D"">Quanah Gibson-Mount<br class=3D"">Product Architect<br =
class=3D"">Symas Corporation<br class=3D"">Packaged, certified, and =
supported LDAP solutions powered by OpenLDAP:<br class=3D"">&lt;<a =
href=3D"http://www.symas.com"; class=3D"">http://www.symas.com</a>&gt;<br =
class=3D""></div></div></blockquote></div><br class=3D""></body></html>=

--Apple-Mail=_A57FFFE0-FA22-44A6-A24D-07E9ADC17D6A--