--On Friday, September 21, 2018 10:59 AM +0000 mhonek@redhat.com wrote:
Hi Nancy,
I'm not aware of RHEL7 shipping with OpenSSL-1.1, OpenLDAP is linked with openssl-1.0.2 there.
Anyway, please report all issues related to TLS in OpenLDAP in Red Hat products to Red Hat Support or Bugzilla, first.
Based on what I read in their report, they have an LDAP server (not OpenLDAP) that has TLS 1.3 support, and the ldapsearch binaries on their RedHat system won't negotiate TLS 1.3 with that server. This is not surprising, as TLS 1.3 support in OpenSSL is only in the 1.1.1 release series and OpenLDAP is not yet updated to link to OpenSSL 1.1.1 (See ITS#8914). I'm currently examining what's necessary for such support. I would not expect any OpenLDAP based ldapsearch binary to be able to negotiate TLS 1.3 at this time, and I definitely wouldn't expect any Linux distribution OpenLDAP based ldapsearch binary to support it for quite some time. GnuTLS also only recently added TLS 1.3 support in the 3.6.3 release as of July 2018, so this would not work in debian based distributions either unless running the very bleeding edge.
Warm regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
-
quanah@symas.com