--On Thursday, October 11, 2018 3:52 PM +0800 moyanan nanmor@126.com wrote:

I set the parameter in client: TLS_PROTOCOL_MIN 3.4, the client still start a client hello with TLS1.2, i doubt that the parameter not work in my configuration. here is my ldap.conf:

Hi Nancy,

I would suggest reading the man page for ldap.conf(5):

http://www.openldap.org/software/man.cgi?query=ldap.conf&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html

Some of the settings in the ldap.conf you provided do not seem valid.

Again, I'd confirm what SSL library the ldapsearch you're using is linked to. (I.e., ldd /path/to/ldapsearch). I only see TLS 1.3 negotiated by default in my build setup where both slapd and the ldap* tools are linked to OpenSSL 1.1.1.

Per the ldap.conf(5) man page, the TLS_PROTOCOL_MIN parameter is ignored by GnuTLS, which makes me wonder if you're using a GnuTLS linked ldapsearch binary.

The ldap.conf file I'm using simply sets TLS_REQCERT never and no other options configured.

Regards, Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com