rlm_ldap: Limit accepted TLS versions on LDAPS

Sven Hartge sven at svenhartge.de
Wed Dec 9 16:20:04 CET 2020

On 09.12.20 07:53, Robert Hentsch-Jesse wrote:

> Unfortunately freeradius seems to ignore the settings from within /etc/ssl/openssl.cnf for its LDAPS connections. The tool is still negotiating the connection with servers, which provide only TLS 1.1.

What SSL library is your libldap using? I assumed OpenSSL but depending 
on the distribution it may be GnuTLS or NSS.

You can als try to set TLS_CIPHER_SUITE OR TLS_PROTOCOL_MIN via 

Please read ldap.conf(5) and the documentation of the used SSL library 
for valid values.


More information about the Freeradius-Users mailing list