rlm_ldap: Limit accepted TLS versions on LDAPS
Sven Hartge
sven at svenhartge.de
Wed Dec 9 16:20:04 CET 2020
On 09.12.20 07:53, Robert Hentsch-Jesse wrote:
> Unfortunately freeradius seems to ignore the settings from within /etc/ssl/openssl.cnf for its LDAPS connections. The tool is still negotiating the connection with servers, which provide only TLS 1.1.
What SSL library is your libldap using? I assumed OpenSSL but depending
on the distribution it may be GnuTLS or NSS.
You can als try to set TLS_CIPHER_SUITE OR TLS_PROTOCOL_MIN via
/etc/ldap/ldap.conf.
Please read ldap.conf(5) and the documentation of the used SSL library
for valid values.
Grüße,
Sven.
More information about the Freeradius-Users
mailing list