mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Explain the effect of OPT_X_TLS_PROTOCOL_MIN
OpenLDAP 2.4 sets minimum version with SSL_CTX_set_options(). The system-wide crypto-policies for TLS minimum version are applied with SSL_CTX_set_min_proto_version(). The set_option() call cannot not enable lower versions than allowed by crypto-policy, e.g. openssl.cnf MinProtocol=TLS1.2 + OPT_X_TLS_PROTOCOL_MIN=TLS1.0 result in TLS 1.2 as minimum protocol version. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
parent
3645854c11
commit
f3e1171564
@ -127,6 +127,12 @@ def ldap_initialize(uri, cacertfile=None):
|
|||||||
conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacertfile)
|
conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacertfile)
|
||||||
|
|
||||||
# SSLv3 and SSLv2 are insecure
|
# SSLv3 and SSLv2 are insecure
|
||||||
|
# OpenLDAP 2.4 sets minimum version with SSL_CTX_set_options(). The
|
||||||
|
# system-wide crypto-policies for TLS minimum version are applied
|
||||||
|
# with SSL_CTX_set_min_proto_version(). The set_option() call cannot
|
||||||
|
# enable lower versions than allowed by crypto-policy, e.g.
|
||||||
|
# openssl.cnf MinProtocol=TLS1.2 + OPT_X_TLS_PROTOCOL_MIN=TLS1.0
|
||||||
|
# result in TLS 1.2 as minimum protocol version.
|
||||||
conn.set_option(ldap.OPT_X_TLS_PROTOCOL_MIN, 0x301) # TLS 1.0
|
conn.set_option(ldap.OPT_X_TLS_PROTOCOL_MIN, 0x301) # TLS 1.0
|
||||||
# libldap defaults to cert validation, but the default can be
|
# libldap defaults to cert validation, but the default can be
|
||||||
# overridden in global or user local ldap.conf.
|
# overridden in global or user local ldap.conf.
|
||||||
|
Loading…
Reference in New Issue
Block a user