Michael Ströder wrote: > On 5/5/21 1:29 PM, Howard Chu wrote: >> Michael Ströder wrote: >>> TLSProtocolMin 3.3 >>> TLSCipherSuite HIGH >> >> Then you're getting TLSv1.3 on these connections. Your ciphersuite config >> has no TLSv1.3 ciphers though; cipher suite "HIGH" only affects TLSv1.2 and >> below. > > Ah sorry. I've wrongly implied that OpenSSL automagically chooses > appropriate TLSv1.3 ciphers for HIGH. > >> Change your suite config to include some actual TLSv1.3 suites and it will be >> fine. There's no bug here, just a change in OpenSSL behavior which is covered >> in their documentation. https://wiki.openssl.org/index.php/TLS1.3
This appears to be one of the things they changed between OpenSSL 1.1.0 and 1.1.1. It's overall pretty user-unfriendly, I've submitted a patch to them to make things a little easier. https://github.com/openssl/openssl/pull/15161 Perhaps this problem can go away in a future OpenSSL release. > > Thanks for your explanations. > > Your text seems worth to be added herein: > > https://www.openldap.org/doc/admin25/guide.html#More%20extensive%20TLS%20configuration%20control > > Ciao, Michael. > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/