Hi, since buster, openssl client is forced to minimum tls 1.2, in /etc/ssl/openssl.cnf
" [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2 " This is breaking ldaps on activedirectory 2012r2. (commenting this code in openssl.cnf fix the problem) (ad2012r2 already support tls_12) Funny, this is working with adding "sslversion=>'tlsv1_2') to net::ldap /usr/share/perl5/PVE/Auth/AD.pm $ad_args{sslversion} = 'tlsv1_2'; my $ldap = Net::LDAP->new($conn_string, %ad_args) || die "$@\n"; So, could be add an sslversion option to ldap auth plugins ? and maybe set it to tls1.2 by default ? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel