I want to set up LDAP to use TLS 1.3, and I am having a few problems.
I am running on Linux with OPENLDAP. I can use an RSA certificate to set up the session. That works fine.
The problem is trying to use an elliptic certificate on the client.
My certificate is ASN1 OID: secp521r1 (NIST CURVE: P-521) signed with Signature Algorithm: ecdsa-with-SHA512.
Ive looked at a wireshark trace, and see
"certificate types": [rsa_sign, dss_sign]
which does not have the expected ecdsa_sign.
because ECDSA is not sent down, TLS will not look for the EC certificate in my keystore.
Has anyone got this working?
My config has
sslCipherSpecs GSK_V3_CIPHER_SPECS_EXPANDED
and my environment has
GSK_TRACE=0xff
GSK_PROTOCOL_TLSV1_1=on
GSK_PROTOCOL_TLSV1_2=on
GSK_PROTOCOL_TLSV1_3=on
GSK_V3_CIPHER_SPECS_EXPANDED=009E002FC027C013c02dc023c025130313011302
GSK_SERVER_TLS_KEY_SHARES=0023002500290024
GSK_CLIENT_TLS_KEY_SHARES=0023002500290024
GSK_TLS_SIG_ALG_PAIRS=0601050104010301080608050804050304030603
It may just be a matter of the GSK parameters not being set up properly. Ive tried many combinations and not been successful.
------------------------------
Colin Paice
------------------------------