Thanks for the response Quanah. You're right they're mentioning "some" LDAP server. And as you indirectly mentioned, with OpenSSL 1.0 the TLS 1.3 is not supported.
However, I believe TLS 1.3 already works with OpenLDAP and OpenSSL. You might want to give a try to Docker image fedora:rawhide. I was able to successfully establish TLS 1.3 connection ldapsearch<->slapd. Tested with: openldap-2.4.46-8.fc30.x86_64 openssl-1.1.1-0.pre9.2.fc30.x86_64
HTH
Best regards, Matus On Fri, Sep 21, 2018 at 8:23 PM Quanah Gibson-Mount quanah@symas.com wrot= e:
--On Friday, September 21, 2018 10:59 AM +0000 mhonek@redhat.com wrote:
Hi Nancy,
I'm not aware of RHEL7 shipping with OpenSSL-1.1, OpenLDAP is linked with openssl-1.0.2 there.
Anyway, please report all issues related to TLS in OpenLDAP in Red Hat products to Red Hat Support or Bugzilla, first.
Based on what I read in their report, they have an LDAP server (not OpenLDAP) that has TLS 1.3 support, and the ldapsearch binaries on their RedHat system won't negotiate TLS 1.3 with that server. This is not surprising, as TLS 1.3 support in OpenSSL is only in the 1.1.1 release series and OpenLDAP is not yet updated to link to OpenSSL 1.1.1 (See ITS#8914). I'm currently examining what's necessary for such support. I would not expect any OpenLDAP based ldapsearch binary to be able to negotiate TLS 1.3 at this time, and I definitely wouldn't expect any Linu=
x
distribution OpenLDAP based ldapsearch binary to support it for quite som=
e
time. GnuTLS also only recently added TLS 1.3 support in the 3.6.3 relea=
se
as of July 2018, so this would not work in debian based distributions either unless running the very bleeding edge.
Warm regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--=20 Mat=C3=BA=C5=A1 Hon=C4=9Bk Software Engineer Red Hat Czech
-
mhonek@redhat.com