On 5/5/21 1:29 PM, Howard Chu wrote: > Michael Ströder wrote: >> TLSProtocolMin 3.3 >> TLSCipherSuite HIGH > > Then you're getting TLSv1.3 on these connections. Your ciphersuite config > has no TLSv1.3 ciphers though; cipher suite "HIGH" only affects TLSv1.2 and > below.
Ah sorry. I've wrongly implied that OpenSSL automagically chooses appropriate TLSv1.3 ciphers for HIGH. > Change your suite config to include some actual TLSv1.3 suites and it will be > fine. There's no bug here, just a change in OpenSSL behavior which is covered > in their documentation. https://wiki.openssl.org/index.php/TLS1.3 Thanks for your explanations. Your text seems worth to be added herein: https://www.openldap.org/doc/admin25/guide.html#More%20extensive%20TLS%20configuration%20control Ciao, Michael.