#47941 set TLS protocol version in LDAP client library used by server
Closed: wontfix None Opened 6 years ago by rmeggins.

There is no way to tell the LDAP client library which TLS protocol version to use. That is, there is no way to pass TLS_PROTOCOL_MIN to the openldap library, and no way to specify that setting in the 389 config.


  • openldap ldapsearch works with TLSv1.1 (and up).
  • SSL replication works, and 100k online init successfully tested.

Sending patch out for review...

80 #define TLS_VERSION_MAX SSL_LIBRARY_VERSION_TLS_1_2
1843 range.max = TLS_VERSION_MAX;

I'm sure TLS1.2 is high enough for the max range, for now. But for the future, you may want to leave the max value to the version that provided by NSS...
{{{
+ / Get the range of the supported SSL version /
+ SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
[...]
+ ldapNSSVersions.max = enabledNSSVersions.max;
}}}

Instead of the table mapping the string to the number, and vice versa, please use the function method Noriko developed (is developing) for dirsrv. Otherwise, we will have to keep extending the table when a new TLS version comes out . . . I know you didn't add that table in this patch, but we should take care of this now.

Replying to [comment:6 rmeggins]:

Instead of the table mapping the string to the number, and vice versa, please use the function method Noriko developed (is developing) for dirsrv. Otherwise, we will have to keep extending the table when a new TLS version comes out . . . I know you didn't add that table in this patch, but we should take care of this now.

I fully agree, I was under the impression that Noriko opened a RFE on NSS for this:

[Bug 1161807] New: [RFE] API to convert SSL version number to SSL version string

So I guess we need to wait to see what happens with this bug before proceeding with the openldap fix?

Replying to [comment:7 mreynolds]:

Replying to [comment:6 rmeggins]:

Instead of the table mapping the string to the number, and vice versa, please use the function method Noriko developed (is developing) for dirsrv. Otherwise, we will have to keep extending the table when a new TLS version comes out . . . I know you didn't add that table in this patch, but we should take care of this now.

I fully agree, I was under the impression that Noriko opened a RFE on NSS for this:

[Bug 1161807] New: [RFE] API to convert SSL version number to SSL version string

So I guess we need to wait to see what happens with this bug before proceeding with the openldap fix?

Best case scenario is that the NSS fix will be available several months from now. Unfortunately we can't wait that long.

Per DS triage, close this and deal with in OpenLDAP BZs.

Metadata Update from @rmeggins:
- Issue assigned to mreynolds
- Issue set to the milestone: N/A

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1272

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Duplicate)

a year ago

Login to comment on this ticket.

Metadata