rlm_ldap: Limit accepted TLS versions on LDAPS

Alan DeKok aland at deployingradius.com
Wed Dec 9 17:05:31 CET 2020


On Dec 9, 2020, at 10:48 AM, Michael Ströder via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> On 12/9/20 3:36 PM, Alan DeKok wrote:
>> And the libldap API doesn't provide a way to say "require TLS 1.2"
> 
> How about using LDAP_OPT_X_TLS_PROTOCOL_MIN described in ldap_set_option(3)?

  Huh...  that's new.  I'll push some fixes.

> This is a single integer but I can't find how to calculate it from TLS
> major.minor version. I suspect it's the 16-bit integer value (2 bytes
> for major.minor) used at lower TLS protocol level. AFAICS TLSv1.2 would
> be 0x0303 [1].

  Yes.  It's all magical.  But that's the correct value.

  Alan DeKok.




More information about the Freeradius-Users mailing list