--On Tuesday, October 09, 2018 10:02 AM +0000 nanmor@126.com wrote:

We can get the result, but from Wireshark result, we find that they used TLS1.2 to negotiated.

I do not find this to be the case with OpenLDAP 2.4.46.

The openSSL is support for TLS1.3,however openldap-2.4.46 is still used TLS1.2 by default. Need some parameters to specify TLS1.3 in openldap configuration?

Nope.

By the way, I have tested that other application can negotiated with TLS1.3 by default when the client and server both use openssl-1.1.1.

That is the behavior I see.

OpenLDAP 2.4.46 linked to OpenSSL 1.1.1 for both the client and server:

5bbcb282 connection_read(14): checking for input on id=1001 TLS trace: SSL_accept:TLSv1.3 early data TLS trace: SSL_accept:SSLv3/TLS read finished TLS trace: SSL_accept:SSLv3/TLS write session ticket TLS trace: SSL_accept:SSLv3/TLS write session ticket

Perhaps the ldapsearch you picked up was not the one linked to OpenSSL 1.1.1.

You may also want to read the slapd.conf(5) or slapd-config(5) man pages on how to set a minimum required TLS protocol version.

Regards, Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com