Hi,
I use sssd together with 389 directory server to manage id and credentials. My Directory Server is configured to allow only TLSv1.3 (sslVersionMin == sslVersionMax == 1.3). However, whenever I start a ssh session to a machine using a directory user, I get the following message sequence between the sssd client and the directory server(exchange generated when the password is entered at prompt): client -> DS TLSv1.2 message DS-> client TLSv1.2 message client closes connections (RST) client establishes new connection TLS handshake Change Cipher Spec TLSv1.3 exchange (see detailed exchange below) I don't understand why there is this initial TLSv1.2 exchange. Is there a possibility to enforce TLSv1.3 on sssd side ? I tried to set: ldap_tls_cipher_suite = TLSv1.3!EXPORT:!NULL in /etc/sssd.conf, but the behavior is the same. 23 49.553616751 client → DS *TLSv1.2* 95 Application Data 24 49.553632077 client → DS *TLSv1.2* 90 Application Data 25 49.554509324 DS → client *TLSv1.2* 90 Application Data 26 49.554526401 client → DS TCP 54 44625 → 636 *[RST]* Seq=56 Win=0 Len=0 27 49.554534690 DS → client TCP 66 636 → 44625 *[RST, ACK]* Seq=25 Ack=56 Win=286 Len=0 TSval=1278977543 TSecr=3489465836 28 52.843158542 client → DS TCP 74 44627 → 636 *[SYN]* Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=3489469126 TSecr=0 WS=128 29 52.843547010 DS → Client TCP 74 636 → 44627 *[SYN, ACK]* Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=1278980832 TSecr=3489469126 WS=128 30 52.843572758 client → DS TCP 66 44627 → 636 *[ACK]* Seq=1 Ack=1 Win=29312 Len=0 TSval=3489469126 TSecr=1278980832 31 52.84471237 client → DS TLSv1 355 *Client Hello* 32 52.845104921 DS → client TCP 66 636 → 44627 [ACK] Seq=1 Ack=290 Win=30080 Len=0 TSval=1278980833 TSecr=3489469127 33 52.866829425 DS → client TLSv1.3 4029 Server Hello, Change Cipher Spec, Application Data 34 52.866846844 client → DS TCP 66 44627 → 636 [ACK] Seq=290 Ack=3964 Win=37248 Len=0 TSval=3489469150 TSecr=1278980855 35 52.867532757 client → DS TLSv1.3 160 Change Cipher Spec, Application Data, Application Data 36 52.867591615 client → DS TLSv1.3 348 Application Data 37 52.868097985 DS → client TCP 66 636 → 44627 [ACK] Seq=3964 Ack=666 Win=31104 Len=0 TSval=1278980856 TSecr=3489469150 38 52.868929089 DS → client TLSv1.3 1471 Application Data 39 52.868942962 DS → client TLSv1.3 102 Application Data 40 52.869048855 client → DS TCP 66 44627 → 636 [ACK] Seq=666 Ack=5
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
