From nanmor@126.com Thu Oct 11 06:53:34 2018 From: nanmor@126.com To: openldap-bugs@openldap.org Subject: Re: (ITS#8924) Installed openldap2.4.46 and openssl1.1.1, the client and server still used TLS1.2 to negotiated Date: Thu, 11 Oct 2018 06:53:31 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8161793463675006385==" --===============8161793463675006385== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit --Apple-Mail=_A57FFFE0-FA22-44A6-A24D-07E9ADC17D6A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Quanah, I=E2=80=99m afraid that the message will be encoded so that you can not = see, so send again.=20 After I set a parameter in server: TLSProtocolMin 3.4, restart the ldap = server, it works that the server will not negotiated with lower TLS = version. I set the parameter in client: TLS_PROTOCOL_MIN 3.4, the client still = start a client hello with TLS1.2, i doubt that the parameter not work in = my configuration. here is my ldap.conf: ssl start_tls TLS_CACERTDIR /usr/local/etc/openldap/cacerts TLS_CACERT /usr/local/etc/openldap/cacerts/cacert.pem TLS_REQCERT never TLS_PROTOCOL_MIN 3.4 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never SASL_NOCANON on BASE cn=3Dlocalhost debug 9 local4.* /var/log/ldap.log I used "openssl s_client -connect mydomain.com:636 = -tls1_3" to connect the same server from = the same client, it will used TLS1.3 successfully. I think the openssl = for TLS1.3 works well.=20 How can I make sure our client and server link to the openssl ? And = could you please show your configuration about TLS in ldap.conf and = slap.conf to me, if you are convenient.=20 Thanks a lot. best regards=20 nancy > On Oct 9, 2018, at 9:56 PM, Quanah Gibson-Mount = wrote: >=20 > --On Tuesday, October 09, 2018 10:02 AM +0000 nanmor(a)126.com wrote: >=20 >> We can get the result, but from Wireshark result, we find that they = used >> TLS1.2 to negotiated. >=20 > I do not find this to be the case with OpenLDAP 2.4.46. >=20 >> The openSSL is support for TLS1.3,however openldap-2.4.46 is still = used >> TLS1.2 by default. Need some parameters to specify TLS1.3 in openldap >> configuration? >=20 > Nope. >=20 >> By the way, I have tested that other application can negotiated with >> TLS1.3 by default when the client and server both use openssl-1.1.1. >=20 > That is the behavior I see. >=20 > OpenLDAP 2.4.46 linked to OpenSSL 1.1.1 for both the client and = server: >=20 > 5bbcb282 connection_read(14): checking for input on id=3D1001 > TLS trace: SSL_accept:TLSv1.3 early data > TLS trace: SSL_accept:SSLv3/TLS read finished > TLS trace: SSL_accept:SSLv3/TLS write session ticket > TLS trace: SSL_accept:SSLv3/TLS write session ticket >=20 > Perhaps the ldapsearch you picked up was not the one linked to OpenSSL = 1.1.1. >=20 > You may also want to read the slapd.conf(5) or slapd-config(5) man = pages on how to set a minimum required TLS protocol version. >=20 > Regards, > Quanah >=20 > -- >=20 > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > --Apple-Mail=_A57FFFE0-FA22-44A6-A24D-07E9ADC17D6A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Hi = Quanah,

I=E2=80=99m afraid that the message will be = encoded so that you can not see, so send again. 

After I set a parameter in server:  TLSProtocolMin 3.4, = restart the ldap server, it works that the server will not negotiated = with lower TLS version.
I set the parameter in client: = TLS_PROTOCOL_MIN 3.4, the client still start a client hello with TLS1.2, = i doubt that the parameter not work in my configuration.
here is my = ldap.conf:

ssl start_tls
TLS_CACERTDIR  = /usr/local/etc/openldap/cacerts
TLS_CACERT = /usr/local/etc/openldap/cacerts/cacert.pem
TLS_REQCERT = never
TLS_PROTOCOL_MIN 3.4
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          = never
SASL_NOCANON    on
BASE = cn=3Dlocalhost
debug 9
local4.*         &= nbsp;  /var/log/ldap.log
I used "openssl s_client -connect mydomain.com:636 -tls1_3"   to connect the same = server from the same client, it will used TLS1.3 successfully. I think = the openssl for TLS1.3 works well. 

How can I make sure our client and server link to the openssl = ?  And could you please  show your configuration about TLS in = ldap.conf and slap.conf to me, if you are convenient. 

Thanks a lot.

best = regards 
nancy


On Oct 9, 2018, at 9:56 PM, = Quanah Gibson-Mount <quanah(a)symas.com> wrote:

--On = Tuesday, October 09, 2018 10:02 AM +0000 nanmor(a)126.com wrote:

We can get the result, = but from Wireshark result, we find that they used
TLS1.2 = to negotiated.

I do not find = this to be the case with OpenLDAP 2.4.46.

The openSSL is support = for TLS1.3,however openldap-2.4.46 is still used
TLS1.2 by = default. Need some parameters to specify TLS1.3 in openldap
configuration?

Nope.

By the way, I have tested that other application can = negotiated with
TLS1.3 by default when the client and = server both use openssl-1.1.1.

That is the behavior I see.

OpenLDAP 2.4.46 linked to OpenSSL 1.1.1 for both the client = and server:

5bbcb282 connection_read(14): = checking for input on id=3D1001
TLS trace: = SSL_accept:TLSv1.3 early data
TLS trace: = SSL_accept:SSLv3/TLS read finished
TLS trace: = SSL_accept:SSLv3/TLS write session ticket
TLS trace: = SSL_accept:SSLv3/TLS write session ticket

Perhaps the ldapsearch you picked up was not the one linked = to OpenSSL 1.1.1.

You may also want to read = the slapd.conf(5) or slapd-config(5) man pages on how to set a minimum = required TLS protocol version.

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and = supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

= --Apple-Mail=_A57FFFE0-FA22-44A6-A24D-07E9ADC17D6A-- --===============8161793463675006385==--