On 12/9/20 5:16 PM, Alan DeKok wrote:
On Dec 9, 2020, at 10:48 AM, Michael Ströder via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
On 12/9/20 3:36 PM, Alan DeKok wrote:
And the libldap API doesn't provide a way to say "require TLS 1.2"
How about using LDAP_OPT_X_TLS_PROTOCOL_MIN described in ldap_set_option(3)? See commit e789729285e This should hopefully work.
How about TLSv1.3? You're using the integer constants from ldap.h which is fine up to TLSv1.2. But there's no such constant for TLSv1.3 in ldap.h. But OpenLDAP server already supports TLSv1.3: openssl s_client -connect demo.ae-dir.com:636 I've submitted ITS#9422 [1] and we will see what OpenLDAP devs say. Ciao, Michael. [1] https://bugs.openldap.org/show_bug.cgi?id=9422