[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
From: michael@stroeder.com
Date: Wed, 13 Aug 2008 23:45:30 GMT

guenther+ldapdev@sendmail.com wrote:
> It's time for SSL version 2.0 to die:

Yupp!

> As a first step, here's a patch against the CVS trunk that adds the ability to
> set the minimum TLS/SSL protocol from the C API (LDAP_OPT_X_TLS_PROTOCOL_MIN),
> the ldap.conf (TLS_PROTOCOL_MIN), and the slapd config
> (TLSProtocolMin/olcTLSProtocolMin).  Possible settings are:
> C API ldap_[sg]et_option()             ldap.conf/slapd config
> -----------------------------------------------------------
> LDAP_OPT_X_TLS_PROTOCOL_SSLv2          SSLv2
> LDAP_OPT_X_TLS_PROTOCOL_SSLv3          SSLv3
> LDAP_OPT_X_TLS_PROTOCOL_TLSv1_0        TLSv1 OR TLSv1.0

 From my understanding this is what LDAP_OPT_X_TLS_CIPHER_SUITE is for, 
isn't it? It's directly passed to OpenSSL and can also be used to enable 
or disable SSLv2, SSLv3 and TLSv1 besides choosing the ciphers itself.

Apache HTTP server does it also that way. See:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite

This patch could be necessary if different SSL implementations can be 
used which have different parameters for this. Still you would have to 
set other implementation-specific parameters...

Ciao, Michael.

Prev by Date: Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
Next by Date: Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
Index(es):
- Chronological
- Thread