--On Wednesday, February 23, 2022 9:34 AM +0100 Frédéric Goudal
<[email protected]> wrote:
Le 22 févr. 2022 à 17:48, Quanah Gibson-Mount <[email protected]> a
écrit : --On Tuesday, February 22, 2022 9:45 AM +0100 Frédéric Goudal
<[email protected]> wrote:
Hello,
For a legacy application we need to drop the ssl version available on
our openldap server.
Currently it supports TLSv1.2, checked with nmap --script
ssl-enum-ciphers -p 636 host
What ever value I put on olcTLSProtocolmin the ssl version does not
change… I have tried 3.0 3.1 3.2…
What do I miss ?
Or is it a feature ?
What SSL library is your OpenLDAP linked to?
From what I see in config.status
D["HAVE_OPENSSL_SSL_H"]=" 1"
D["HAVE_OPENSSL"]=" 1"
ii libssl-dev:amd64 1.1.1f-1ubuntu2.9
amd64 Secure Sockets Layer toolkit - development files ii
libssl1.1:amd64 1.1.1f-1ubuntu2.9
amd64 Secure Sockets Layer toolkit - shared libraries
Generally I'd look at the output of readelf or ldd on the slapd binary
itself.
I would note that as documented, olcTLSProtocolMin is N+1, so 3.2 would
allow 1.1 or later. 3.2 would restrict it to TLS 1.2 or later. I'm not
sure nmap is actually telling you all supported versions, just that 1.2 is
allowed.
I generally test using the openssl s_client command.
--Quanah
