[Issue 9948] New: tls_ciphers with TLSv1.2 cipher_suite gives list of TLSv1.3 ciphers in TLS Client Hello message

10 Nov 2022


      https://bugs.openldap.org/show_bug.cgi?id=9948
Issue ID: 9948
           Summary: tls_ciphers with TLSv1.2 cipher_suite gives list of
                    TLSv1.3 ciphers in TLS Client Hello message
           Product: OpenLDAP
           Version: 2.4.57
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: client tools
          Assignee: bugs@openldap.org
          Reporter: nikigen68@gmail.com
  Target Milestone: ---
Created attachment 928
  --> https://bugs.openldap.org/attachment.cgi?id=928&action=edit
TLS server only supports TLSv1.3 in this case, and I would expect it to be
rejected.
For example:
ldap.conf::
tls_ciphers ECDHE-ECDSA-CHACHA20-POLY1305
will give ClientHello with these cipher suites:
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
and supported versions:
TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3
Why do we have listed default TLSv1.3 ciphers? I would expect only
ECDHE-ECDSA-CHACHA20-POLY1305. Also, why do we have listed TLSv1.0 and TLSv1.1
as supported versions when those are considered vulnerable?
-- 
You are receiving this mail because:
You are on the CC list for the issue.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[Issue 9948] New: tls_ciphers with TLSv1.2 cipher_suite gives list of TLSv1.3 ciphers in TLS Client Hello message