On Wed, 14 Dec 2022, Stuart Henderson wrote:
On 2022/12/14 06:22, Andre Rodier wrote:
olcTLSProtocolMin: 3.3
There is no TLS 3.3; try a valid version like 1.2 or 1.3.
No, that's correct. slapd.conf(5):
TLSProtocolMin <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g.,
TLSProtocolMin 3.2
would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This directive is ignored with GnuTLS.
I wrote that code for openldap back when SSL 3 was still common so it (ugh) matches how the version number was carried in the TLS handshake. Do now I regret settling on that interface? Yes, but it's Not My Problem.
Andre is almost certainly using an OpenLDAP linked against gnuTLS which has to be configured (including protocol version) using a gnuTLS-style cipher string.
Philip Guenther