Thanks for the response Quanah. You're right they're mentioning "some" LDAP server. And as you indirectly mentioned, with OpenSSL 1.0 the TLS 1.3 is not supported.
However, I believe TLS 1.3 already works with OpenLDAP and OpenSSL. You might want to give a try to Docker image fedora:rawhide. I was able to successfully establish TLS 1.3 connection ldapsearch<->slapd. Tested with: openldap-2.4.46-8.fc30.x86_64 openssl-1.1.1-0.pre9.2.fc30.x86_64 HTH Best regards, Matus On Fri, Sep 21, 2018 at 8:23 PM Quanah Gibson-Mount <[email protected]> wrot= e: > > --On Friday, September 21, 2018 10:59 AM +0000 [email protected] wrote: > > > Hi Nancy, > > > > I'm not aware of RHEL7 shipping with OpenSSL-1.1, OpenLDAP is linked > > with openssl-1.0.2 there. > > > > Anyway, please report all issues related to TLS in OpenLDAP in Red Hat > > products to Red Hat Support or Bugzilla, first. > > Based on what I read in their report, they have an LDAP server (not > OpenLDAP) that has TLS 1.3 support, and the ldapsearch binaries on their > RedHat system won't negotiate TLS 1.3 with that server. This is not > surprising, as TLS 1.3 support in OpenSSL is only in the 1.1.1 release > series and OpenLDAP is not yet updated to link to OpenSSL 1.1.1 (See > ITS#8914). I'm currently examining what's necessary for such support. I > would not expect any OpenLDAP based ldapsearch binary to be able to > negotiate TLS 1.3 at this time, and I definitely wouldn't expect any Linu= x > distribution OpenLDAP based ldapsearch binary to support it for quite som= e > time. GnuTLS also only recently added TLS 1.3 support in the 3.6.3 relea= se > as of July 2018, so this would not work in debian based distributions > either unless running the very bleeding edge. > > Warm regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > --=20 Mat=C3=BA=C5=A1 Hon=C4=9Bk Software Engineer Red Hat Czech
