[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: restrict openldap TLS version

To: Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: restrict openldap TLS version
From: Philip Guenther <pguenther@proofpoint.com>
Date: Thu, 1 Dec 2016 12:15:06 -0800
Cc: David Ward <daward@Brocade.COM>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proofpoint.com; h=date : from : to : cc : subject : in-reply-to : message-id : references : mime-version : content-type; s=corp-2016-04-19; bh=XG7EMwpuXRWvk/m/lWj91bI+eHDLCETwD7ciromQcc4=; b=prB1+1YE3aUlbbGwuy0C1kpzlGK0+YpMvw4a5cKNKG+sNLCLumKhRLAE1J4kAfESOY++ DCBAD0MyaQXp9tIcOIjGSWAenIq0+oAj02163TXrTmaQnoGn8v/LcvO6NOboQpwLhPcC SKoEBQc5nHxXKlI0WOlpW5S0iVvEHq8nGIidIp7eFAPmRGs4+PoxnLReQk+re+oI1rUz 3wkSrgM5eqsSK7ZD9/gbFDOARlpAwbgiRw+XmolGEKvoOu6IwlEJIJlc6N0pj5uKEw3T 1fVrsXgV6otBsVM1usZ+ppwo+NJYO2bi1qkovbm9PhRkf4M7SZzP1b/jRzW2u1SyFKuf nw==
In-reply-to: <F73198B65CB0F5DB8B6A7B81@[192.168.1.19]>
References: <0d06f8d0c0974f7ab9666e350f744e22@BRMWP-EXMB12.corp.brocade.com> <WM!6196eed8ac0be47348da6d7558ba7513e7c536d94d4b60e85b7d18d949ff04ec13aba8d92502b2d1ef432c9fc4f73234!@mailstronghold-1.zmailcloud.com> <F73198B65CB0F5DB8B6A7B81@[192.168.1.19]>
User-agent: Alpine 2.20 (BSO 67 2015-01-07)

On Thu, 1 Dec 2016, Quanah Gibson-Mount wrote:
...
> There is not, as far as I know, any way to fine tune things beyond this 
> (I.e., accept TLS 1.1 and TLS 1.3, but not TLS 1.2).

Right, because the on-the-wire protocol itself just carries a single 
version number, so if a client only supports a discontiguous set of 
versions then negotiation can fail despite there being a common supported 
version.  Indeed, recent enough releases of OpenSSL automatically prevent 
that on the client side:
    /*
     * SSL_OP_NO_X disables all protocols above X *if* there are
     * some protocols below X enabled. This is required in order
     * to maintain "version capability" vector contiguous. So
     * that if application wants to disable TLS1.0 in favour of
     * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
     * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
     */

And now in OpenSSL 1.1.0 the use of the SSL_OP_NO_TLSv1* options is 
deprecated in favor of new SSL_CTX_set_{min,max}_proto_version() APIs, 
making it impossible at the API level to specify discontiguous sets of 
versions.


Philip Guenther

References:
- restrict openldap TLS version
  - From: David Ward <daward@Brocade.COM>
- Re: restrict openldap TLS version
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: RE: restrict openldap TLS version
Next by Date: Re: restrict openldap TLS version
Index(es):
- Chronological
- Thread