rlm_ldap: Limit accepted TLS versions on LDAPS

Alan DeKok aland at deployingradius.com
Wed Dec 9 15:36:00 CET 2020

On Dec 9, 2020, at 1:53 AM, Robert Hentsch-Jesse <rhentsch-jesse at phoenixcontact.com> wrote:
> Unfortunately freeradius seems to ignore the settings from within /etc/ssl/openssl.cnf for its LDAPS connections.

  FreeRADIUS calls libldap, which in turn *may* call OpenSSL.  And OpenSSL *should* read /etc/ssl/openssl.cnf

  So we're stuck with the limitations of the libraries we call.  And the libldap API doesn't provide a way to say "require TLS 1.2"

> Does freeradius always consider these settings or do I need to configure something in freeradius also?

  See above.

  If you want to check if FreeRADIUS eventuality reads the file, use "strace", and look for where it calls "open" on /etc/ssl/openssl.cnf

  If that file isn't opened, there's still not much you can do to FreeRADIUS to fix it.  The problem is buried deep inside other libraries.

  Alan DeKok.

More information about the Freeradius-Users mailing list