rlm_ldap: Limit accepted TLS versions on LDAPS

Michael Ströder michael at stroeder.com
Wed Dec 9 18:24:57 CET 2020


On 12/9/20 5:16 PM, Alan DeKok wrote:
>> On Dec 9, 2020, at 10:48 AM, Michael Ströder via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>
>> On 12/9/20 3:36 PM, Alan DeKok wrote:
>>> And the libldap API doesn't provide a way to say "require TLS 1.2"
>>
>> How about using LDAP_OPT_X_TLS_PROTOCOL_MIN described in ldap_set_option(3)?
>   See commit e789729285e
>   This should hopefully work.

How about TLSv1.3?

You're using the integer constants from ldap.h which is fine up to
TLSv1.2. But there's no such constant for TLSv1.3 in ldap.h.

But OpenLDAP server already supports TLSv1.3:

openssl s_client -connect demo.ae-dir.com:636

I've submitted ITS#9422 [1] and we will see what OpenLDAP devs say.

Ciao, Michael.

[1] https://bugs.openldap.org/show_bug.cgi?id=9422


More information about the Freeradius-Users mailing list