Hi, Does Samba-AD support TLS 1.2 for LDAPS? If yes, can some one give more details on its configuration? Regards, Ananth
On Wed, 2019-05-29 at 05:48 +0530, Anantha Raghava via samba wrote:> Hi, > > Does Samba-AD support TLS 1.2 for LDAPS? If yes, can some one give > more > details on its configuration?Seems that is enabled by default (tested with samba-4.9.x ) [1] openssl s_client -showcerts -connect mydc1.etc.com:636 [2] [1] https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC [2] (...) New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: C45186405F3B55B472DFD075A27C1BA68A90D4BD4C72EE94BD7BD6F8F58E6283 Session-ID-ctx: Master-Key: 40E62E425FF8AE4A491001576A97F7FB3EB54A326FD5D3BF0BDB392DE6FA137C60A98C1 FC8A02B12103C64594DFE9785 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1559091178 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: yes --- closed> Regards, > Ananth-- Sérgio M. B.
On Wed, 2019-05-29 at 01:57 +0100, Sérgio Basto via samba wrote:> On Wed, 2019-05-29 at 05:48 +0530, Anantha Raghava via samba wrote: > > Hi, > > > > Does Samba-AD support TLS 1.2 for LDAPS? If yes, can some one give > > more > > details on its configuration? > > Seems that is enabled by default (tested with samba-4.9.x ) [1]It essentially comes down to what GnuTLS does. That can be tweaked via 'tls priority' (the value of this parameter is then interpreted via GnuTLS). Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba