On Wed, 14 Dec 2022, Stuart Henderson wrote:
> On 2022/12/14 06:22, Andre Rodier wrote:
> > > olcTLSProtocolMin: 3.3
>
> There is no TLS 3.3; try a valid version like 1.2 or 1.3.
No, that's correct. slapd.conf(5):
TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be
negotiated. If the server doesn't support at least that
version, the SSL handshake will fail. To require TLS 1.x or
higher, set this option to 3.(x+1), e.g.,
TLSProtocolMin 3.2
would require TLS 1.1. Specifying a minimum that is higher than
that supported by the OpenLDAP implementation will result in it
requiring the highest level that it does support. This
directive is ignored with GnuTLS.
I wrote that code for openldap back when SSL 3 was still common so it
(ugh) matches how the version number was carried in the TLS handshake.
Do now I regret settling on that interface? Yes, but it's Not My Problem.
Andre is almost certainly using an OpenLDAP linked against gnuTLS which
has to be configured (including protocol version) using a gnuTLS-style
cipher string.
Philip Guenther
