Hi,
I use sssd together with 389 directory server to manage id and credentials.
My Directory Server is configured to allow only TLSv1.3 (sslVersionMin == sslVersionMax == 1.3).
However, whenever I start a ssh session to a machine using a directory user, I get the following message sequence between the sssd client and the directory server(exchange generated when the password is entered at prompt):
client -> DS TLSv1.2 message
DS-> client TLSv1.2 message
client closes connections (RST)
client establishes new connection
TLS handshake
Change Cipher Spec
TLSv1.3 exchange
(see detailed exchange below)
I don't understand why there is this initial TLSv1.2 exchange.
Is there a possibility to enforce TLSv1.3 on sssd side ?
I tried to set:
ldap_tls_cipher_suite = TLSv1.3!EXPORT:!NULL
in /etc/sssd.conf, but the behavior is the same.
23 49.553616751 client → DS *TLSv1.2* 95 Application Data
24 49.553632077 client → DS *TLSv1.2* 90 Application Data
25 49.554509324 DS → client *TLSv1.2* 90 Application Data
26 49.554526401 client → DS TCP 54 44625 → 636 *[RST]* Seq=56 Win=0 Len=0
27 49.554534690 DS → client TCP 66 636 → 44625 *[RST, ACK]* Seq=25 Ack=56 Win=286 Len=0 TSval=1278977543 TSecr=3489465836
28 52.843158542 client → DS TCP 74 44627 → 636 *[SYN]* Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=3489469126 TSecr=0 WS=128
29 52.843547010 DS → Client TCP 74 636 → 44627 *[SYN, ACK]* Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=1278980832 TSecr=3489469126 WS=128
30 52.843572758 client → DS TCP 66 44627 → 636 *[ACK]* Seq=1 Ack=1 Win=29312 Len=0 TSval=3489469126 TSecr=1278980832
31 52.84471237 client → DS TLSv1 355 *Client Hello*
32 52.845104921 DS → client TCP 66 636 → 44627 [ACK] Seq=1 Ack=290 Win=30080 Len=0 TSval=1278980833 TSecr=3489469127
33 52.866829425 DS → client TLSv1.3 4029 Server Hello, Change Cipher Spec, Application Data
34 52.866846844 client → DS TCP 66 44627 → 636 [ACK] Seq=290 Ack=3964 Win=37248 Len=0 TSval=3489469150 TSecr=1278980855
35 52.867532757 client → DS TLSv1.3 160 Change Cipher Spec, Application Data, Application Data
36 52.867591615 client → DS TLSv1.3 348 Application Data
37 52.868097985 DS → client TCP 66 636 → 44627 [ACK] Seq=3964 Ack=666 Win=31104 Len=0 TSval=1278980856 TSecr=3489469150
38 52.868929089 DS → client TLSv1.3 1471 Application Data
39 52.868942962 DS → client TLSv1.3 102 Application Data
40 52.869048855 client → DS TCP 66 44627 → 636 [ACK] Seq=666 Ack=5
sssd-users@lists.fedorahosted.org