Enable TLS 1.2 for ldap_* functions in PHP 5.3

1
votes

Our code base connects to our Active Directory through the ldap_* functions. I just learned this morning that they're connecting to our AD over TLS 1.0.

Question 1: Is there a way to force the ldap_* functions to connect over TLS 1.2?

Other info:

  • Windows 2012 R2
  • PHP 5.3
  • IIS 8.5

I've tried googling stuff like "enable "tls 1.2" ldap php," ""tls 1.2" ldap php," "ldap php functions support tls 1.2" and results have been unhelpful. I've found comments on three locations that say that Windows 2012 R2 doesn't support TLS 1.2 through LDAPS and to disable TLS 1.2, but ... that's the opposite of what I want, and so far there have been no issues with not specifically disabling TLS 1.2 in the code base.

Followup Question: Do the ldap_* functions still not support TLS 1.2 on Windows 2012 R2 with PHP?

1
phpldaptls1.2

1 Answers

0
votes

I talked to a friend who is much more knowledgeable about security than I.

The scope of my question was too narrow and the problem comes from the version of PHP I am on.

In order for PHP to securely connect to Active Directory, it uses the OpenSSL library. TLS 1.1/1.2 support in OpenSSL came in v1.0.1. PHP 5.3 comes with v0.9.8.

My friend gave me a suggestion of faking TLS 1.1 and forcing the ldap functions to use that, like this:

define('LDAP_OPT_X_TLS_PROTOCOL_MIN', 24583);
define('LDAP_OPT_X_TLS_PROTOCOL_SSL2', 512);
define('LDAP_OPT_X_TLS_PROTOCOL_SSL3', 768);
define('LDAP_OPT_X_TLS_PROTOCOL_TLS1_0', 769);
define('LDAP_OPT_X_TLS_PROTOCOL_TLS1_1', 770);
define('LDAP_OPT_X_TLS_PROTOCOL_TLS1_2', 771);

and

ldap_set_option($handler, LDAP_OPT_X_TLS_PROTOCOL_MIN, LDAP_OPT_X_TLS_PROTOCOL_TLS1_1);

But this did not work for me.

I attempted to try using newer versions of OpenSSL with 5.3, but these did not work either. It seems that truly the only solution is updating to a newer version of PHP, minimum of 5.6.

There's a possibility of using a third-party library, but that is a can of worms I chose not to open.