rlm_ldap: Limit accepted TLS versions on LDAPS
aland at deployingradius.com
Wed Dec 9 15:36:00 CET 2020
On Dec 9, 2020, at 1:53 AM, Robert Hentsch-Jesse <rhentsch-jesse at phoenixcontact.com> wrote:
> Unfortunately freeradius seems to ignore the settings from within /etc/ssl/openssl.cnf for its LDAPS connections.
FreeRADIUS calls libldap, which in turn *may* call OpenSSL. And OpenSSL *should* read /etc/ssl/openssl.cnf
So we're stuck with the limitations of the libraries we call. And the libldap API doesn't provide a way to say "require TLS 1.2"
> Does freeradius always consider these settings or do I need to configure something in freeradius also?
If you want to check if FreeRADIUS eventuality reads the file, use "strace", and look for where it calls "open" on /etc/ssl/openssl.cnf
If that file isn't opened, there's still not much you can do to FreeRADIUS to fix it. The problem is buried deep inside other libraries.
More information about the Freeradius-Users