On Wed, Dec 14, 2022 at 4:29 AM Philip Guenther pguenther@proofpoint.com wrote:
On Wed, 14 Dec 2022, Stuart Henderson wrote:
On 2022/12/14 06:22, Andre Rodier wrote:
olcTLSProtocolMin: 3.3
There is no TLS 3.3; try a valid version like 1.2 or 1.3.
No, that's correct. slapd.conf(5):
TLSProtocolMin <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g., TLSProtocolMin 3.2 would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This directive is ignored with GnuTLS.
A small nit... There is no SSL/TLS minimum and maximum version numbers.
There's a Record Layer version number [1] and a Handshake Protocol version number.[2] They do not specify a range.
Years ago I argued the TLS Working Group should interpret them as min and max version numbers because that's how people interpreted them. Min and max matched the mental models of users. The Working Group rejected the arguments stating the min-max range could have holes in it. That is, a server may support TLS 1.0 and 1.3, but lack TLS 1.1 and 1.2 support.
[1] https://www.rfc-editor.org/rfc/rfc5246.html#section-6.2 [2] https://www.rfc-editor.org/rfc/rfc5246.html#section-7.3
Jeff