Cannot use TLS 1.3 cipher suites with OPT_X_TLS_CIPHER_SUITE

[Wenyi-Cheng]

Issue description:

I'm trying to configure TLS 1.3 cipher suites(RFC link) with OPT_X_TLS_CIPHER_SUITE and it doesn't seem to work. It looks like OPT_X_TLS_CIPHER_SUITE only supports the old cipher lists for TLS 1.2 and lower. Is there any way to configure TLS 1.3 cipher suite for the connection?

Steps to reproduce:

l = ldap.initialize( host )
...
l.set_option( ldap.OPT_X_TLS_PROTOCOL_MIN, ldap.OPT_X_TLS_PROTOCOL_TLS1_3 )
l.set_option( ldap.OPT_X_TLS_CIPHER_SUITE, "TLS_AES_128_CCM_8_SHA256" )
...
l.start_tls_s()

These still allow me to establish a TLS 1.3 connection even if the server side doesn't support TLS_AES_128_CCM_8_SHA256.

Python version:
3.9.17

python-ldap version:
3.4.3

Thanks,
Wenyi

[tiran]

You fell victim of an OpenLDAP quirk. libldap does not apply any TLS settings unless you tell it to create a new TLS context, see https://www.python-ldap.org/en/python-ldap-3.4.3/reference/ldap.html#tls-options

Try this:

l = ldap.initialize(host)
l.set_option(ldap.OPT_X_TLS_PROTOCOL_MIN, ldap.OPT_X_TLS_PROTOCOL_TLS1_3)
l.set_option(ldap.OPT_X_TLS_CIPHER_SUITE, "TLS_AES_128_CCM_8_SHA256")
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
l.start_tls_s()

It may fail with ValueError: option error, because some vendors do not include CCM in their OpenSSL builds.