[pve-devel] applied: [PATCH pve-access-control] ldap auth: add sslversion option
Alexandre DERUMIER
aderumier at odiso.com
Thu Nov 7 13:10:59 CET 2019
>>Would it make sense to switch to that as default? To you know how
>>good its supported?
For now, keep tls 1.2.
tls 1.3 is really new and far to be implemented everywhere.
(I don't think it's implemented in AD 2019)
----- Mail original -----
De: "Thomas Lamprecht" <t.lamprecht at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>, "aderumier" <aderumier at odiso.com>
Envoyé: Mercredi 6 Novembre 2019 20:29:30
Objet: applied: [pve-devel] [PATCH pve-access-control] ldap auth: add sslversion option
On 11/4/19 10:18 AM, Alexandre Derumier wrote:
> default to tls1.2
>
While https://metacpan.org/pod/distribution/perl-ldap/lib/Net/LDAP.pod#sslversion
ony lists ['sslv2' | 'sslv3' | 'sslv23' | 'tlsv1' | 'tlsv1_1' | 'tlsv1_2'] it
says that this is just passed to IO::Socket::SSL and
https://metacpan.org/pod/IO::Socket::SSL#SSL_version
also accepts TLS 1.3, so I added that as followup..
Would it make sense to switch to that as default? To you know how
good its supported?
> Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
> ---
> PVE/Auth/AD.pm | 11 +++++++++++
> PVE/Auth/LDAP.pm | 5 +++++
> 2 files changed, 16 insertions(+)
>
> diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
> index b924b02..a877a76 100755
> --- a/PVE/Auth/AD.pm
> +++ b/PVE/Auth/AD.pm
> @@ -33,6 +33,12 @@ sub properties {
> optional => 1,
>
> },
> + sslversion => {
> + description => "LDAPS ssl version.",
> + type => 'string',
> + enum => [qw(tlsv1 tlsv1_1 tlsv1_2)],
> + optional => 1,
> + },
> default => {
> description => "Use this as default realm",
> type => 'boolean',
> @@ -69,6 +75,7 @@ sub options {
> domain => {},
> port => { optional => 1 },
> secure => { optional => 1 },
> + sslversion => { optional => 1 },
> default => { optional => 1 },,
> comment => { optional => 1 },
> tfa => { optional => 1 },
> @@ -108,6 +115,10 @@ my $authenticate_user_ad = sub {
> $ad_args{verify} = 'none';
> }
>
> + if ($config->{secure}) {
> + $ad_args{sslversion} = $config->{sslversion} ? $config->{sslversion} : 'tlsv1_2';
> + }
> +
> my $ldap = Net::LDAP->new($conn_string, %ad_args) || die "$@\n";
>
> $username = "$username\@$config->{domain}"
> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
> index 9f08504..d6c26eb 100755
> --- a/PVE/Auth/LDAP.pm
> +++ b/PVE/Auth/LDAP.pm
> @@ -70,6 +70,7 @@ sub options {
> user_attr => {},
> port => { optional => 1 },
> secure => { optional => 1 },
> + sslversion => { optional => 1 },
> default => { optional => 1 },
> comment => { optional => 1 },
> tfa => { optional => 1 },
> @@ -109,6 +110,10 @@ my $authenticate_user_ldap = sub {
> $ldap_args{verify} = 'none';
> }
>
> + if ($config->{secure}) {
> + $ldap_args{sslversion} = $config->{sslversion} ? $config->{sslversion} : 'tlsv1_2';
> + }
> +
> my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n";
>
> if (my $bind_dn = $config->{bind_dn}) {
>
More information about the pve-devel
mailing list