Project

General

Profile

Actions

Feature #33662

open

Defining allowed/denied TLS Version for LDAPS in a configuration file

Added by Jan Kunkis over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
LDAP
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

Our LDAP-Server only provides TLS version 1.0 and 1.1. The newer versions 1.2 and 1.3 are currently not possible because of other connected systems. So enabling LDAPS (without certificate verification because of a self signed certificate - ticket #29606) fails in my network.

I am working on redmine version 4.1.1. For a quick workaround I have modified the file auth_source_ldap.rb to disallow version 1.2 and 1.3 by adding the appropriate options. A configurable list of allowed / denied TLS-versions (or min/max version?) in a configuration file would avoid future redmine-version-upgrade-problems (which would overwrite my manual fix).

Here is my dirty debug workaround:

  def initialize_ldap_con(ldap_user, ldap_password)
    options = { :host => self.host,
                :port => self.port
              }
    if tls
      options[:encryption] = {
        :method => :simple_tls,
        # Always provide non-empty tls_options, to make sure, that all
        # OpenSSL::SSL::SSLContext::DEFAULT_PARAMS as well as the default cert
        # store are used.
        :tls_options => { :verify_mode => verify_peer? ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE,
---->                     :options => OpenSSL::SSL::OP_NO_TLSv1_3 + OpenSSL::SSL::OP_NO_TLSv1_2        <----
                        }
      }
    end

No data to display

Actions

Also available in: Atom PDF