# | 'demand' | fail if the certificate does not verify.
# | 'hard' | similar to 'demand' but fails if TLS cannot negotiate.
# |===
- #
+ #
# NOTE: The default is libldap's default, which varies based on the contents of `ldap.conf`.
#
# require_cert = 'demand'
+
+ #
+ # Minimum TLS version to accept. We STRONGLY recommend
+ # setting this to "1.2"
+ #
+# tls_min_version = "1.2"
}
#
int tls_require_cert; //!< OpenLDAP constant representing the require cert string.
+ char const *tls_min_version_str; //!< Minimum TLS version
+ int tls_min_version;
/*
* For keep-alives.
maybe_ldap_option(LDAP_OPT_X_TLS_CERTFILE, "certificate_file", config->tls_certificate_file);
maybe_ldap_option(LDAP_OPT_X_TLS_KEYFILE, "private_key_file", config->tls_private_key_file);
-# ifdef LDAP_OPT_X_TLS_NEVER
+# ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
if (config->tls_require_cert_str) {
do_ldap_option(LDAP_OPT_X_TLS_REQUIRE_CERT, "require_cert", &config->tls_require_cert);
}
# endif
+# ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
+ if (config->tls_min_version_str) {
+ do_ldap_option(LDAP_OPT_X_TLS_PROTOCOL_MIN, "tls_min_version", &config->tls_min_version);
+ }
+# endif
+
/*
* Counter intuitively the TLS context appears to need to be initialised
* after all the TLS options are set on the handle.
{ FR_CONF_OFFSET("require_cert", FR_TYPE_STRING, fr_ldap_config_t, tls_require_cert_str) },
+#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
+ { FR_CONF_OFFSET("tls_min_version", FR_TYPE_STRING, fr_ldap_config_t, tls_min_version_str) },
+#endif
+
CONF_PARSER_TERMINATOR
};
"rebuild this module");
goto error;
+#endif
+ }
+
+if (inst->handle_config.tls_min_version_str) {
+#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
+ if (strcmp(inst->handle_config.tls_min_version_str, "1.2") == 0) {
+ inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
+
+ } else if (strcmp(inst->handle_config.tls_min_version_str, "1.1") == 0) {
+ inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_1;
+
+ } else if (strcmp(inst->handle_config.tls_min_version_str, "1.0") == 0) {
+ inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
+
+ } else {
+ cf_log_err(conf, "Invalid 'tls.tls_min_version' value \"%s\"", inst->handle_config.tls_min_version_str);
+ goto error;
+ }
+#else
+ cf_log_err(conf, "This version of libldap does not support tls.tls_min_version."
+ " Please upgrade or substitute current libldap and "
+ "rebuild this module");
+ goto error;
+
#endif
}