Michael Ströder wrote:
On 5/5/21 1:29 PM, Howard Chu wrote:
Michael Ströder wrote:
TLSProtocolMin 3.3 TLSCipherSuite HIGH
Then you're getting TLSv1.3 on these connections. Your ciphersuite config has no TLSv1.3 ciphers though; cipher suite "HIGH" only affects TLSv1.2 and below.
Ah sorry. I've wrongly implied that OpenSSL automagically chooses appropriate TLSv1.3 ciphers for HIGH.
Change your suite config to include some actual TLSv1.3 suites and it will be fine. There's no bug here, just a change in OpenSSL behavior which is covered in their documentation. https://wiki.openssl.org/index.php/TLS1.3
Thanks for your explanations.
Your text seems worth to be added herein:
https://www.openldap.org/doc/admin25/guide.html#More%20extensive%20TLS%20con...
With this patch https://git.openldap.org/openldap/openldap/-/commit/cd3567d750b653949e50b624... the above problem will no longer occur. That is, if your ciphersuite doesn't contain any TLS1.3 ciphers, then the existing TLS1.3 ciphersuites will not be changed. So you'll get the compiled-in defaults if nothing else was changed. That means you can continue to use old configs without any further changes. I don't think there's any security weakness here since the compiled-in defaults are strong. Just a question of whether it's better to force sysadmins to be cognizant of TLS1.3 or let them keep going on without thinking about it.