rlm_ldap: Limit accepted TLS versions on LDAPS

Robert Hentsch-Jesse rhentsch-jesse at phoenixcontact.com
Wed Dec 9 07:53:34 CET 2020


Thank you for this recommendation!

Unfortunately freeradius seems to ignore the settings from within /etc/ssl/openssl.cnf for its LDAPS connections. The tool is still negotiating the connection with servers, which provide only TLS 1.1.
I added:

openssl_conf = default_conf

[ default_conf ]
ssl_conf = ssl_sect

[ ssl_sect ]
system_default = system_default_sect

[ system_default_sect ]
MinProtocol = TLSv1.2


Does freeradius always consider these settings or do I need to configure something in freeradius also?

Best regards, Robert Hentsch-Jesse


-----Ursprüngliche Nachricht-----
Von: Freeradius-Users <freeradius-users-bounces+rhentsch-jesse=phoenixcontact.com at lists.freeradius.org> Im Auftrag von Sven Hartge
Gesendet: Montag, 7. Dezember 2020 14:49
An: freeradius-users at lists.freeradius.org
Betreff: Re: rlm_ldap: Limit accepted TLS versions on LDAPS

***External email! Do not click links or open attachments unless you recognize the sender and know the content is safe.***

On 07.12.20 14:38, Robert Hentsch-Jesse wrote:

> I'm using freeradius with the rlm_ldap module to request users from a OpenLDAP server using the LDAPS protocol.
> Is there any best practice how to limit the accepted TLS versions to 1.2 and 1.3 on the LDAPS connection? SSL and TLS <= 1.1 should be denied.
> I found a "tls_min_version" option for the rlm_eap module, but not for rlm_ldap.
> Are there other possibilities than stripping down the used libssl?

libssl for can also be configured via /etc/ssl/openssl.cnf.

You can us it  to limit the acceptable chiphers and TLS versions and many other configuration settings.

Grüße,
Sven.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


.......................................................................................
PHOENIX CONTACT Cyber Security GmbH 
Richard-Willstätter-Straße 6, 12489 Berlin, Germany 
Register Court: AG Charlottenburg, HR B 202908 
Geschäftsführer/General Manager: Kilian Golm



More information about the Freeradius-Users mailing list