> With the current dependecy chain there is no possibility to use TLS 1.3 with IPA
I don't believe this statement is actually true?
$ curl -kvI https://192.168.122.164:9999 2>&1 | grep 'connection using' * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
$ openssl s_client -connect 192.168.122.164:9999 -tls1_3 -brief Can't use SSL_get_servername depth=0 CN = box verify error:num=18:self-signed certificate depth=0 CN = box verify error:num=10:certificate has expired notAfter=Aug 11 09:58:25 2023 GMT notAfter=Aug 11 09:58:25 2023 GMT CONNECTION ESTABLISHED Protocol version: TLSv1.3 Ciphersuite: TLS_AES_256_GCM_SHA384 Peer certificate: CN = box Hash used: SHA256 Signature type: ECDSA Verification error: certificate has expired Server Temp Key: X25519, 253 bits
I think what we discovered is that you cannot limit IPA to *only* support 1.3 because of Python (not only oslo.service) limitations.
> With the current dependecy chain there is no possibility to use TLS 1.3 with IPA
I don't believe this statement is actually true?
$ curl -kvI https:/ /192.168. 122.164: 9999 2>&1 | grep 'connection using' 256_GCM_ SHA384
* SSL connection using TLSv1.3 / TLS_AES_
$ openssl s_client -connect 192.168. 122.164: 9999 -tls1_3 -brief 18:self- signed certificate 10:certificate has expired 256_GCM_ SHA384
Can't use SSL_get_servername
depth=0 CN = box
verify error:num=
depth=0 CN = box
verify error:num=
notAfter=Aug 11 09:58:25 2023 GMT
notAfter=Aug 11 09:58:25 2023 GMT
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_
Peer certificate: CN = box
Hash used: SHA256
Signature type: ECDSA
Verification error: certificate has expired
Server Temp Key: X25519, 253 bits
I think what we discovered is that you cannot limit IPA to *only* support 1.3 because of Python (not only oslo.service) limitations.