IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Explain the effect of OPT_X_TLS_PROTOCOL_MIN

Browse Source 
OpenLDAP 2.4 sets minimum version with SSL_CTX_set_options(). The
system-wide crypto-policies for TLS minimum version are applied
with SSL_CTX_set_min_proto_version(). The set_option() call cannot
not enable lower versions than allowed by crypto-policy, e.g.
openssl.cnf MinProtocol=TLS1.2 + OPT_X_TLS_PROTOCOL_MIN=TLS1.0
result in TLS 1.2 as minimum protocol version.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Christian Heimes 2020-01-17 16:59:55 +01:00
parent 3645854c11
commit f3e1171564
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ipapython/ipaldap.py
View File

@ -127,6 +127,12 @@ def ldap_initialize(uri, cacertfile=None):
conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacertfile) conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacertfile)
# SSLv3 and SSLv2 are insecure # SSLv3 and SSLv2 are insecure
# OpenLDAP 2.4 sets minimum version with SSL_CTX_set_options(). The
# system-wide crypto-policies for TLS minimum version are applied
# with SSL_CTX_set_min_proto_version(). The set_option() call cannot
# enable lower versions than allowed by crypto-policy, e.g.
# openssl.cnf MinProtocol=TLS1.2 + OPT_X_TLS_PROTOCOL_MIN=TLS1.0
# result in TLS 1.2 as minimum protocol version.
conn.set_option(ldap.OPT_X_TLS_PROTOCOL_MIN, 0x301) # TLS 1.0 conn.set_option(ldap.OPT_X_TLS_PROTOCOL_MIN, 0x301) # TLS 1.0
# libldap defaults to cert validation, but the default can be # libldap defaults to cert validation, but the default can be
# overridden in global or user local ldap.conf. # overridden in global or user local ldap.conf.