rlm_ldap : cipher_list parameter support ?
Alan DeKok
aland at deployingradius.com
Mon Jan 30 13:37:53 UTC 2023
On Jan 30, 2023, at 8:32 AM, Arnaud LAURIOU <arnaud.lauriou at renater.fr> wrote:
> With FR 3.2.1, ubuntu 20.04, I can't bind to LDAP server using an old TLS 1.0 version.
>
> With TLS section parameters in ldap.conf :
> tls {
> start_tls = no
> ca_file = "/etc/freeradius/ca_cert_hosting/12126560.pem"
> require_cert = demand
> tls_min_version = "1.0"
> cipher_list = "DEFAULT at SECLEVEL=1"
> }
The LDAP module doesn't support setting the cipher suite. We're happy to accept patches. See
https://www.openldap.org/software//man.cgi?query=ldap_get_option&sektion=3&apropos=0&manpath=OpenLDAP+2.6-Release
and
LDAP_OPT_X_TLS_CIPHER_SUITE
> I have in debug log for this LDAP server :
> # Loaded module rlm_ldap
> ...
> tls {
> ca_file = "/etc/freeradius/ca_cert_hosting/12126560.pem"
> tls_min_version = "1.0"
> start_tls = no
> require_cert = "demand"
> }
Yes. The debug output only prints the values it uses.
> And the error when trying to bind :
> TLS: can't connect: (unknown error code).
>
> It seems that 'cipher_list' parameter has disappeared in the debug log, is this parameter
> supported in ldap.conf ?
Apparently not.
> If not, how can I bind and check certificate ('demand' or 'hard' option) to a TLS 1.0
> LDAP server ?
Patch the source. There isn't really any other way.
Alan DeKok.
More information about the Freeradius-Users
mailing list