Re: add option for setting minimum TLS/SSL protocol (ITS#5655)

[guenther@sendmail.com]

On Fri, 23 Jan 2009, Howard Chu wrote:
> guenther@sendmail.com wrote:
> > I could have sworn I had uploaded the revised version of the patch back in
> > August after some cleaning by Kurt, but have no way of confirming it.  So
> > I've uploaded it again as guenther-20081204.patch.
> 
> Thanks, patch looks good, committed to HEAD. Have you got a manpage 
> update, by the way?

Here's the chunk for ldap.conf(5), diffed against the trunk.  None of the 
LDAP_OPT_X_TLS* options appear to be documented, so I didn't add anything 
to ldap_get_option(3).

Philip


Index: doc/man/man5/ldap.conf.5
===================================================================
RCS file: /data/cvs/openldap/pkg/ldap/doc/man/man5/ldap.conf.5,v
retrieving revision 1.50
diff -u -r1.50 ldap.conf.5
--- doc/man/man5/ldap.conf.5	26 Jan 2009 01:54:32 -0000	1.50
+++ doc/man/man5/ldap.conf.5	19 Mar 2009 18:22:00 -0000
@@ -336,6 +336,19 @@
 	gnutls-cli -l
 .fi
 .TP
+.B TLS_PROTOCOL_MIN <major>[.<minor>]
+Specifies minimum SSL protocol version that will be negoiated.
+If the server doesn't support at least that version,
+the SSL handshake will fail.
+To require TLS 1.x or higher, set this option to 3.(x+1),
+e.g.,
+.B TLS_PROTOCOL_MIN 3.2
+would require TLS 1.1.
+Specifying a minimum that is higher than that supported by the
+OpenLDAP implementation will result it in requiring the
+highest level that it does support.
+This parameter is currently ignored with GNUtls.
+.TP
 .B TLS_RANDFILE <filename>
 Specifies the file to obtain random bits from when /dev/[u]random is
 not available. Generally set to the name of the EGD/PRNGD socket.