--On Thursday, October 11, 2018 3:52 PM +0800 moyanan <[email protected]> wrote:
> I set the parameter in client: TLS_PROTOCOL_MIN 3.4, the client still > start a client hello with TLS1.2, i doubt that the parameter not work in > my configuration. > here is my ldap.conf: Hi Nancy, I would suggest reading the man page for ldap.conf(5): <http://www.openldap.org/software/man.cgi?query=ldap.conf&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html> Some of the settings in the ldap.conf you provided do not seem valid. Again, I'd confirm what SSL library the ldapsearch you're using is linked to. (I.e., ldd /path/to/ldapsearch). I only see TLS 1.3 negotiated by default in my build setup where both slapd and the ldap* tools are linked to OpenSSL 1.1.1. Per the ldap.conf(5) man page, the TLS_PROTOCOL_MIN parameter is ignored by GnuTLS, which makes me wonder if you're using a GnuTLS linked ldapsearch binary. The ldap.conf file I'm using simply sets TLS_REQCERT never and no other options configured. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
