rlm_ldap: Limit accepted TLS versions on LDAPS

Michael Ströder michael at stroeder.com
Wed Dec 9 16:48:25 CET 2020

On 12/9/20 3:36 PM, Alan DeKok wrote:
> And the libldap API doesn't provide a way to say "require TLS 1.2"

How about using LDAP_OPT_X_TLS_PROTOCOL_MIN described in ldap_set_option(3)?

This is a single integer but I can't find how to calculate it from TLS
major.minor version. I suspect it's the 16-bit integer value (2 bytes
for major.minor) used at lower TLS protocol level. AFAICS TLSv1.2 would
be 0x0303 [1].

Better ask on openldap-technical mailing list to get an authorative
answer though.

Ciao, Michael.

[1] https://tools.ietf.org/html/rfc8446#section-4.1.2

More information about the Freeradius-Users mailing list