--On Wednesday, February 23, 2022 9:34 AM +0100 Frédéric Goudal frederic.goudal@bordeaux-inp.fr wrote:
Le 22 févr. 2022 à 17:48, Quanah Gibson-Mount quanah@fast-mail.org a écrit : --On Tuesday, February 22, 2022 9:45 AM +0100 Frédéric Goudal frederic.goudal@bordeaux-inp.fr wrote:
Hello,
For a legacy application we need to drop the ssl version available on our openldap server.
Currently it supports TLSv1.2, checked with nmap --script ssl-enum-ciphers -p 636 host
What ever value I put on olcTLSProtocolmin the ssl version does not change… I have tried 3.0 3.1 3.2…
What do I miss ? Or is it a feature ?
What SSL library is your OpenLDAP linked to?
From what I see in config.status D["HAVE_OPENSSL_SSL_H"]=" 1" D["HAVE_OPENSSL"]=" 1"
ii libssl-dev:amd64 1.1.1f-1ubuntu2.9 amd64 Secure Sockets Layer toolkit - development files ii libssl1.1:amd64 1.1.1f-1ubuntu2.9 amd64 Secure Sockets Layer toolkit - shared libraries
Generally I'd look at the output of readelf or ldd on the slapd binary itself.
I would note that as documented, olcTLSProtocolMin is N+1, so 3.2 would allow 1.1 or later. 3.2 would restrict it to TLS 1.2 or later. I'm not sure nmap is actually telling you all supported versions, just that 1.2 is allowed.
I generally test using the openssl s_client command.
--Quanah