rlm_ldap: Limit accepted TLS versions on LDAPS
Alan DeKok
aland at deployingradius.com
Wed Dec 9 17:05:31 CET 2020
On Dec 9, 2020, at 10:48 AM, Michael Ströder via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> On 12/9/20 3:36 PM, Alan DeKok wrote:
>> And the libldap API doesn't provide a way to say "require TLS 1.2"
>
> How about using LDAP_OPT_X_TLS_PROTOCOL_MIN described in ldap_set_option(3)?
Huh... that's new. I'll push some fixes.
> This is a single integer but I can't find how to calculate it from TLS
> major.minor version. I suspect it's the 16-bit integer value (2 bytes
> for major.minor) used at lower TLS protocol level. AFAICS TLSv1.2 would
> be 0x0303 [1].
Yes. It's all magical. But that's the correct value.
Alan DeKok.
More information about the Freeradius-Users
mailing list