[Issue 9948] New: tls_ciphers with TLSv1.2 cipher_suite gives list of TLSv1.3 ciphers in TLS Client Hello message
https://bugs.openldap.org/show_bug.cgi?id=9948
Issue ID: 9948 Summary: tls_ciphers with TLSv1.2 cipher_suite gives list of TLSv1.3 ciphers in TLS Client Hello message Product: OpenLDAP Version: 2.4.57 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs@openldap.org Reporter: nikigen68@gmail.com Target Milestone: ---
Created attachment 928 --> https://bugs.openldap.org/attachment.cgi?id=928&action=edit TLS server only supports TLSv1.3 in this case, and I would expect it to be rejected.
For example:
ldap.conf:: tls_ciphers ECDHE-ECDSA-CHACHA20-POLY1305
will give ClientHello with these cipher suites:
TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-CHACHA20-POLY1305
and supported versions:
TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3
Why do we have listed default TLSv1.3 ciphers? I would expect only ECDHE-ECDSA-CHACHA20-POLY1305. Also, why do we have listed TLSv1.0 and TLSv1.1 as supported versions when those are considered vulnerable?
https://bugs.openldap.org/show_bug.cgi?id=9948
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- Hello,
Two things:
1. Your questions are for whatever SSL library implementation your OpenLDAP source is linked to.
2. The OpenLDAP 2.4 series is historic and not supported.
Regards, Quanah
https://bugs.openldap.org/show_bug.cgi?id=9948
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID
https://bugs.openldap.org/show_bug.cgi?id=9948
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=9948
nikigen68@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|VERIFIED |UNCONFIRMED Resolution|INVALID |---
--- Comment #2 from nikigen68@gmail.com --- Let me rephrase the question:
Is there a openldap release in which it is possible to use TLSv1.3 ciphers within configuration file option tls_ciphers.
For example in case we use:
tls_ciphers TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256
Then nothing will be sent from the client.
I saw there was a similar issue opened and solved for syslog-ng client:
Issue: https://github.com/syslog-ng/syslog-ng/issues/3906#issuecomment-1033698573
Release with solution: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-3-36-news-better-...
https://bugs.openldap.org/show_bug.cgi?id=9948
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID
--- Comment #3 from Howard Chu hyc@openldap.org ---
Let me rephrase the question:
The ITS is for bug reports. Questions about software usage belong on the openldap-technical mailing list.
https://bugs.openldap.org/show_bug.cgi?id=9948
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org