From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Wed, 6 Nov 2019 19:23:21 +0000 (+0100)
Subject: ldaps: support TLS 1.3 as SSL version
X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff_plain;h=3b7eaef10fe48e0180c3bc89be4bbf31c7dfd47c

ldaps: support TLS 1.3 as SSL version

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---

diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index a877a76..42eb79d 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -34,9 +34,9 @@ sub properties {
 
 	},
 	sslversion => {
-	    description => "LDAPS ssl version.",
+	    description => "LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!",
 	    type => 'string',
-	    enum => [qw(tlsv1 tlsv1_1 tlsv1_2)],
+	    enum => [qw(tlsv1 tlsv1_1 tlsv1_2 tlsv1_3)],
 	    optional => 1,
 	},
 	default => {
@@ -116,7 +116,7 @@ my $authenticate_user_ad = sub {
     }
 
     if ($config->{secure}) {
-	$ad_args{sslversion} = $config->{sslversion} ? $config->{sslversion} : 'tlsv1_2';
+	$ad_args{sslversion} = $config->{sslversion} || 'tlsv1_2';
     }
 
     my $ldap = Net::LDAP->new($conn_string, %ad_args) || die "$@\n";
diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
index d6c26eb..a94778e 100755
--- a/PVE/Auth/LDAP.pm
+++ b/PVE/Auth/LDAP.pm
@@ -111,7 +111,7 @@ my $authenticate_user_ldap = sub {
     }
 
     if ($config->{secure}) {
-	$ldap_args{sslversion} = $config->{sslversion} ? $config->{sslversion} : 'tlsv1_2';
+	$ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2';
     }
 
     my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n";