Michael Ströder wrote:
On 5/5/21 1:29 PM, Howard Chu wrote:
Michael Ströder wrote:
TLSProtocolMin 3.3 TLSCipherSuite HIGH
Then you're getting TLSv1.3 on these connections. Your ciphersuite config has no TLSv1.3 ciphers though; cipher suite "HIGH" only affects TLSv1.2 and below.
Ah sorry. I've wrongly implied that OpenSSL automagically chooses appropriate TLSv1.3 ciphers for HIGH.
Change your suite config to include some actual TLSv1.3 suites and it will be fine. There's no bug here, just a change in OpenSSL behavior which is covered in their documentation. https://wiki.openssl.org/index.php/TLS1.3
This appears to be one of the things they changed between OpenSSL 1.1.0 and 1.1.1. It's overall pretty user-unfriendly, I've submitted a patch to them to make things a little easier. https://github.com/openssl/openssl/pull/15161
Perhaps this problem can go away in a future OpenSSL release.
Thanks for your explanations.
Your text seems worth to be added herein:
https://www.openldap.org/doc/admin25/guide.html#More%20extensive%20TLS%20con...
Ciao, Michael.