rlm_ldap: Limit accepted TLS versions on LDAPS
Michael Ströder
michael at stroeder.com
Wed Dec 9 16:48:25 CET 2020
On 12/9/20 3:36 PM, Alan DeKok wrote:
> And the libldap API doesn't provide a way to say "require TLS 1.2"
How about using LDAP_OPT_X_TLS_PROTOCOL_MIN described in ldap_set_option(3)?
This is a single integer but I can't find how to calculate it from TLS
major.minor version. I suspect it's the 16-bit integer value (2 bytes
for major.minor) used at lower TLS protocol level. AFAICS TLSv1.2 would
be 0x0303 [1].
Better ask on openldap-technical mailing list to get an authorative
answer though.
Ciao, Michael.
[1] https://tools.ietf.org/html/rfc8446#section-4.1.2
More information about the Freeradius-Users
mailing list