(ITS#8924) Installed openldap2.4.46 and openssl1.1.1, the client and server still used TLS1.2 to negotiated - openldap-bugs

9 Oct 2018


      Full_Name: Nancy Mo
Version: openldap-clients-2.4.46
OS: Redhat 7, ubuntu
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (106.38.0.87)
openldap Client: Ubuntu 16.04.4 LTS/
                 openldap 2.4.46/
                 openssl-1.1.1
openldap Server: redhat 7, Linux 3.10.0-327.13.1.el7.x86_64 #1 SMP Mon Feb 29
13:22:02 EST 2016 x86_64 x86_64 x86_64 GNU/Linux
                 openldap2.4.46/
                 openssl-1.1.1
In Client, configure ldap.conf: 
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE   dc=example,dc=com
URI     ldap://mydomain.com:389 ldaps://mydomain.com:636
ssl start_tls
TLS_CACERTDIR  /usr/local/etc/openldap/cacerts
TLS_CACERT /usr/local/etc/openldap/cacerts/cacert.pem
TLS_REQCERT never
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
SASL_NOCANON    on
BASE cn=localhost
debug 9
local4.*            /var/log/ldap.log
In server: configure the slapd.conf (some important configuration)
database        mdb
maxsize         1073741824
suffix          "dc=mydomain,dc=com"
rootdn          "cn=Manager,dc=mydomain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}srNLpYqpwEpRTw94IV79Myw5YO6rn0Ym
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/openldap.2.4.46/var/openldap-data
TLSCACertificateFile /usr/local/openldap.2.4.46/etc/openldap/cacerts/cacert.pem
TLSCertificateFile /usr/local/openldap.2.4.46/etc/openldap/ldap.crt
TLSCertificateKeyFile /usr/local/openldap.2.4.46/etc/openldap/ldap.key
...
From client connect to server:
ldapsearch -x  -H ldaps://mydomain.com:636  -D cn=Manager,dc=mydomain,dc=com  -w
passw0rd -b ""  -s base objectclass=*
We can get the result, but from Wireshark result, we find that they used TLS1.2
to negotiated.
The openSSL is support for TLS1.3,however openldap-2.4.46 is still used TLS1.2
by default. Need some parameters to specify TLS1.3 in openldap configuration?
By the way, I have tested that other application can negotiated with TLS1.3 by
default when the client and server both use openssl-1.1.1.
Thanks a lot.
Best regards,
nancy Mo