From 07dd90d73194f1732bdba6b36fb168266c920b0a Mon Sep 17 00:00:00 2001
From: Alexandre Derumier <aderumier@odiso.com>
Date: Mon, 4 Nov 2019 10:18:05 +0100
Subject: [PATCH 1/1] ldap auth: add sslversion option

default to tls1.2

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 PVE/Auth/AD.pm   | 11 +++++++++++
 PVE/Auth/LDAP.pm |  5 +++++
 2 files changed, 16 insertions(+)

diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index b924b02..a877a76 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -33,6 +33,12 @@ sub properties {
 	    optional => 1,
 
 	},
+	sslversion => {
+	    description => "LDAPS ssl version.",
+	    type => 'string',
+	    enum => [qw(tlsv1 tlsv1_1 tlsv1_2)],
+	    optional => 1,
+	},
 	default => {
 	    description => "Use this as default realm",
 	    type => 'boolean',
@@ -69,6 +75,7 @@ sub options {
 	domain => {},
 	port => { optional => 1 },
 	secure => { optional => 1 },
+	sslversion => { optional => 1 },
 	default => { optional => 1 },,
 	comment => { optional => 1 },
 	tfa => { optional => 1 },
@@ -108,6 +115,10 @@ my $authenticate_user_ad = sub {
 	$ad_args{verify} = 'none';
     }
 
+    if ($config->{secure}) {
+	$ad_args{sslversion} = $config->{sslversion} ? $config->{sslversion} : 'tlsv1_2';
+    }
+
     my $ldap = Net::LDAP->new($conn_string, %ad_args) || die "$@\n";
 
     $username = "$username\@$config->{domain}"
diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
index 9f08504..d6c26eb 100755
--- a/PVE/Auth/LDAP.pm
+++ b/PVE/Auth/LDAP.pm
@@ -70,6 +70,7 @@ sub options {
 	user_attr => {},
 	port => { optional => 1 },
 	secure => { optional => 1 },
+	sslversion => { optional => 1 },
 	default => { optional => 1 },
 	comment => { optional => 1 },
 	tfa => { optional => 1 },
@@ -109,6 +110,10 @@ my $authenticate_user_ldap = sub {
 	$ldap_args{verify} = 'none';
     }
 
+    if ($config->{secure}) {
+	$ldap_args{sslversion} = $config->{sslversion} ? $config->{sslversion} : 'tlsv1_2';
+    }
+
     my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n";
 
     if (my $bind_dn = $config->{bind_dn}) {
-- 
2.39.2