我正在通过调用ldap_sslinit()和ldap_connect()和ldap_bind来使用LDAP建立到我的AD服务器的连接。试图在LDAP会话选项中使用ldap_set_option()来设置LDAP_OPT_SSL_INFO,并使用dwProtocol设置为SP_2C_TLS的SecPkgContext_ConnectionInfo结构。 连接成功通过。但是,当我在服务器上禁用TLS1.2时。 Wireshark上的连接仍然成功,我看到协议是TLS1.1。当在服务器上禁用Tls1.2时,如果没有协商降低版本,我需要连接失败。
LDAP* ldap = ldap_sslinit(const_cast<wchar_t*>(host), LDAP_SSL_PORT, 1);
ULONG version = LDAP_VERSION3;
err = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
printLogD(L"LDAPInitialiseConnections: ldap_set_option for LDAP_OPT_PROTOCOL_VERSION returned ", err);
err = ldap_set_option(ldap, LDAP_OPT_ENCRYPT, LDAP_OPT_ON);
printLogD(L"LDAPInitialiseConnections: ldap_set_option for LDAP_OPT_ENCRYPT LDAP_OPT_ON returned ", err);
ULONG ldapOptOn = 1;
err = ldap_set_option(ldap, LDAP_OPT_ENCRYPT, &ldapOptOn);
printLogD(L"LDAPInitialiseConnections: ldap_set_option for LDAP_OPT_ENCRYPT returned ", err);
SecPkgContext_ConnectionInfo spcci;
spcci.dwProtocol = SP_PROT_TLS1_2_CLIENT;
spcci.aiCipher = CALG_AES_256;
spcci.dwCipherStrength = 256;
spcci.aiHash = CALG_SHA;
spcci.dwHashStrength = 160;
spcci.aiExch = 0x0000ae06;
spcci.dwExchStrength = 256;
int sslreturnCode = ldap_set_option(ldap,
LDAP_OPT_SSL_INFO, (void *)&spcci);
l_timeval timeVal;
timeVal.tv_sec = timelimit;
timeVal.tv_usec = 0;
err = ldap_connect(ldap, &timeVal);
*err = ldap_bind_s(ldap,const_cast<wchar_t*>(userObject),
const_cast<wchar_t*>(password),
LDAP_AUTH_NEGOTIATE);