There is no way to tell the LDAP client library which TLS protocol version to use. That is, there is no way to pass TLS_PROTOCOL_MIN to the openldap library, and no way to specify that setting in the 389 config.
Sending patch out for review...
80 #define TLS_VERSION_MAX SSL_LIBRARY_VERSION_TLS_1_2 1843 range.max = TLS_VERSION_MAX;
I'm sure TLS1.2 is high enough for the max range, for now. But for the future, you may want to leave the max value to the version that provided by NSS... {{{ + / Get the range of the supported SSL version / + SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions); [...] + ldapNSSVersions.max = enabledNSSVersions.max; }}}
New patch attached...
Thanks, Mark!!
Instead of the table mapping the string to the number, and vice versa, please use the function method Noriko developed (is developing) for dirsrv. Otherwise, we will have to keep extending the table when a new TLS version comes out . . . I know you didn't add that table in this patch, but we should take care of this now.
Replying to [comment:6 rmeggins]:
I fully agree, I was under the impression that Noriko opened a RFE on NSS for this:
[Bug 1161807] New: [RFE] API to convert SSL version number to SSL version string
So I guess we need to wait to see what happens with this bug before proceeding with the openldap fix?
Replying to [comment:7 mreynolds]:
Replying to [comment:6 rmeggins]: Instead of the table mapping the string to the number, and vice versa, please use the function method Noriko developed (is developing) for dirsrv. Otherwise, we will have to keep extending the table when a new TLS version comes out . . . I know you didn't add that table in this patch, but we should take care of this now. I fully agree, I was under the impression that Noriko opened a RFE on NSS for this: [Bug 1161807] New: [RFE] API to convert SSL version number to SSL version string So I guess we need to wait to see what happens with this bug before proceeding with the openldap fix?
Best case scenario is that the NSS fix will be available several months from now. Unfortunately we can't wait that long.
Per DS triage, close this and deal with in OpenLDAP BZs.
Metadata Update from @rmeggins: - Issue assigned to mreynolds - Issue set to the milestone: N/A
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1272
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Duplicate)
Login to comment on this ticket.