]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
:gear: Add and document tls_min_version
authorJorge Pereira <jpereiran@gmail.com>
Wed, 9 Dec 2020 17:30:17 +0000 (14:30 -0300)
committerAlan DeKok <aland@freeradius.org>
Wed, 9 Dec 2020 17:36:18 +0000 (12:36 -0500)
raddb/mods-available/ldap
src/lib/ldap/base.h
src/lib/ldap/connection.c
src/modules/rlm_ldap/rlm_ldap.c

index 5aa910f1489bd6b90858e146311461d063d332c3..b6ccd15f59df8d53517e18b5f46e2a09f17114b2 100644 (file)
@@ -742,10 +742,16 @@ ldap {
                #  | 'demand' | fail if the certificate does not verify.
                #  | 'hard'   | similar to 'demand' but fails if TLS cannot negotiate.
                #  |===
-               #
+               #
                #  NOTE: The default is libldap's default, which varies based on the contents of `ldap.conf`.
                #
 #              require_cert = 'demand'
+
+               #
+               #  Minimum TLS version to accept. We STRONGLY recommend
+               #  setting this to "1.2"
+               #
+#              tls_min_version = "1.2"
        }
 
        #
index f0454e1a6ad437b026eef5c19586d5f700ad6050..d5a2ebe4f5e3aeb7880e20635107ae09c53041ac 100644 (file)
@@ -237,6 +237,8 @@ typedef struct {
 
        int                     tls_require_cert;       //!< OpenLDAP constant representing the require cert string.
 
+       char const              *tls_min_version_str;           //!< Minimum TLS version
+       int                     tls_min_version;
 
        /*
         *      For keep-alives.
index e4ab5c4388727181d224eadff1a54863cc316331..8d005330635d8d9859c640f6342aa8b01edc5813 100644 (file)
@@ -276,12 +276,18 @@ int fr_ldap_connection_configure(fr_ldap_connection_t *c, fr_ldap_config_t const
        maybe_ldap_option(LDAP_OPT_X_TLS_CERTFILE, "certificate_file", config->tls_certificate_file);
        maybe_ldap_option(LDAP_OPT_X_TLS_KEYFILE, "private_key_file", config->tls_private_key_file);
 
-#  ifdef LDAP_OPT_X_TLS_NEVER
+#  ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
        if (config->tls_require_cert_str) {
                do_ldap_option(LDAP_OPT_X_TLS_REQUIRE_CERT, "require_cert", &config->tls_require_cert);
        }
 #  endif
 
+#  ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
+       if (config->tls_min_version_str) {
+               do_ldap_option(LDAP_OPT_X_TLS_PROTOCOL_MIN, "tls_min_version", &config->tls_min_version);
+       }
+#  endif
+
        /*
         *      Counter intuitively the TLS context appears to need to be initialised
         *      after all the TLS options are set on the handle.
index 21ea7c42525e402e481577a6cd55c7fe4e902e13..b61ac2a7b43dd3412cd81aa5aaf636ce1ff13f13 100644 (file)
@@ -73,6 +73,10 @@ static CONF_PARSER tls_config[] = {
 
        { FR_CONF_OFFSET("require_cert", FR_TYPE_STRING, fr_ldap_config_t, tls_require_cert_str) },
 
+#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
+       { FR_CONF_OFFSET("tls_min_version", FR_TYPE_STRING, fr_ldap_config_t, tls_min_version_str) },
+#endif
+
        CONF_PARSER_TERMINATOR
 };
 
@@ -1978,6 +1982,30 @@ static int mod_instantiate(void *instance, CONF_SECTION *conf)
                              "rebuild this module");
 
                goto error;
+#endif
+       }
+
+if (inst->handle_config.tls_min_version_str) {
+#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
+               if (strcmp(inst->handle_config.tls_min_version_str, "1.2") == 0) {
+                       inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
+
+               } else if (strcmp(inst->handle_config.tls_min_version_str, "1.1") == 0) {
+                       inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_1;
+
+               } else if (strcmp(inst->handle_config.tls_min_version_str, "1.0") == 0) {
+                       inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
+
+               } else {
+                       cf_log_err(conf, "Invalid 'tls.tls_min_version' value \"%s\"", inst->handle_config.tls_min_version_str);
+                       goto error;
+               }
+#else
+               cf_log_err(conf, "This version of libldap does not support tls.tls_min_version."
+                             " Please upgrade or substitute current libldap and "
+                             "rebuild this module");
+               goto error;
+
 #endif
        }