https://bugs.openldap.org/show_bug.cgi?id=9518
Issue ID: 9518
Summary: Configuration parameter to force TLSv1.2 (-no_tls1_3)
Product: OpenLDAP
Version: 2.4.50
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: client tools
Assignee: b...@openldap.org
Reporter: tom.bosm...@be.ibm.com
Target Milestone: ---
Hi,
I'm running into a problem during creation of an Ansible playbook that uses the
community.general.ldap_entry module, which in turn depends on python-ldap ,
that uses the openldap libraries.
My (openldap) server is configured for TLS 1.2, but does not support TLS 1.3.
openssl version:
OpenSSL 1.1.1k (have tried 1.1.1g as well).
So the root cause is that openssl, if it's compiled with TLS v1.3 , will try
TLS v1.3. If that doesn't work because the server does not support it, it
just stops. This is madness.
openssl s_client -connect isva.test:636 -showcerts -state
CONNECTED(00000003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL3 alert read:fatal:handshake failure
SSL_connect:error in error
Now within openssl , there's a parameter that you can set to skip tls 1.3.
Great. So this works.
openssl s_client -connect isva.test:636 -showcerts -state -no_tls1_3
CONNECTED(00000003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=0 CN = isva.test
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = isva.test
...
But with ldapsearch, there's no option to pass this .
I've tried changing the cipher suite in .ldaprc, but to no avail. The TLSv1.3
ciphers are always used.
[tbosmans@tbosmans-p73 ~]$ ldapsearch -x -H ldaps://isva.test -D
"cn=bind,o=whatever" -w "pasword" -b "o=test" -v -d1
ldap_url_parse_ext(ldaps://isva.test)
ldap_initialize( ldaps://isva.test:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://isva.test:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP isva.test:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.42.135:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[tbosmans@tbosmans-p73 ~]$ cat .ldaprc
TLS_REQCERT never
TLS_ECNAME ECDHE
TLS_CIPHER_SUITE ECDHE-ECDSA-ARIA256-GCM-SHA384
So it would be great it there was an option equivalent to "-no_tls1_3" for the
openldap client tools (or there may be a way to achieve this that I've missed
so far).
--
You are receiving this mail because:
You are on the CC list for the issue.
