Full_Name: Manuel Gaupp Version: 2.4.35 OS: CentOS 6.3 URL: Submission from: (NULL) (79.234.218.31) This topic was originally discussed in http://www.openldap.org/lists/openldap-technical/201307/msg00133.html 1.) the TLSProtocolMin parameter is not documented, but it should be - at least in slapd.conf/slapd-config and ldap.conf (there is an example in the original ITS #5655) 2.) the TLSProtocolMin functionality should be extended for TLS 1.1 and TLS 1.2 (see http://www.openldap.org/lists/openldap-technical/201307/msg00138.html) 3.) ldap.conf already accepts correctly formatted TLSProtocolMin values (e.g. "3.1") whereas slapd.conf doesn't (has to be given as an integer, e.g. "769"); I think servers/slapd/bconfig.c should be changed to use ldap_int_tls_config for this option (as mentioned in the FIXME comment of config_tls_config).
changed notes changed state Open to Test moved from Incoming to Documentation
changed notes changed state Test to Release
[Post-facto. Howard has already committed this] I believe there's two other doc changes that should be added for this: 1) syncrepl accepts tls_protocol_min as a suboption too, 2) for consistency, perhaps slapd-ldap(5) and slapd-meta(5) should use the same <major>[.<minor>] syntax for the value as ldap.conf(5) and slapd.conf(5) ? First two chunks below are for (1), second two for (2). Philip Guenther diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index af8beb3..2f8e656 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -1786,6 +1786,7 @@ FALSE, meaning the contextCSN is stored in the context entry. .B [tls_reqcert=never|allow|try|demand] .B [tls_ciphersuite=<ciphers>] .B [tls_crlcheck=none|peer|all] +.B [tls_protocol_min=<major>[.<minor>]] .B [suffixmassage=<real DN>] .B [logbase=<base DN>] .B [logfilter=<filter str>] diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 70116df..8840e3a 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1763,6 +1763,7 @@ the contextCSN is stored in the context entry. .B [tls_reqcert=never|allow|try|demand] .B [tls_ciphersuite=<ciphers>] .B [tls_crlcheck=none|peer|all] +.B [tls_protocol_min=<major>[.<minor>]] .B [suffixmassage=<real DN>] .B [logbase=<base DN>] .B [logfilter=<filter str>] diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5 index 98969e0..8df818c 100644 --- a/doc/man/man5/slapd-ldap.5 +++ b/doc/man/man5/slapd-ldap.5 @@ -114,7 +114,7 @@ needs to be created. .B [tls_cacertdir=<path>] .B [tls_reqcert=never|allow|try|demand] .B [tls_ciphersuite=<ciphers>] -.B [tls_protocol_min=<version>] +.B [tls_protocol_min=<major>[.<minor>]] .B [tls_crlcheck=none|peer|all] .RS Allows to define the parameters of the authentication method that is diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5 index a4020b5..9a326d5 100644 --- a/doc/man/man5/slapd-meta.5 +++ b/doc/man/man5/slapd-meta.5 @@ -381,7 +381,7 @@ for details on the syntax of this field. .B [tls_cacertdir=<path>] .B [tls_reqcert=never|allow|try|demand] .B [tls_ciphersuite=<ciphers>] -.B [tls_protocol_min=<version>] +.B [tls_protocol_min=<major>[.<minor>]] .B [tls_crlcheck=none|peer|all] .RS Allows to define the parameters of the authentication method that is
changed notes changed state Release to Closed
fixed in master fixed in RE24