[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: restrict openldap TLS version



--On Thursday, December 01, 2016 6:24 PM +0000 David Ward <daward@Brocade.COM> wrote:


Hi David,

I'm looking for a test method to restrict the level of TLS used with
slapd. I'm running ver 2.4.40 which supports TLS 1.2. I see the
undocumented command 'TLSProtocolMin' to require minimum strength. I
would like to disable certain version.

I'm unclear what you mean by undocumented. It is clearly documented in the slapd.conf(5) man page (for 2.4.44), which you can freely view on the OpenLDAP.org website:


      TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or
             higher, set this option to 3.(x+1), e.g.,

                  TLSProtocolMin 3.2

would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This
             directive is ignored with GnuTLS.

There is not, as far as I know, any way to fine tune things beyond this (I.e., accept TLS 1.1 and TLS 1.3, but not TLS 1.2).

Hope that helps!

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>