[Date Prev][Date Next]
Re: add option for setting minimum TLS/SSL protocol (ITS#5655)
On Fri, 23 Jan 2009, Howard Chu wrote:
> firstname.lastname@example.org wrote:
> > I could have sworn I had uploaded the revised version of the patch back in
> > August after some cleaning by Kurt, but have no way of confirming it. So
> > I've uploaded it again as guenther-20081204.patch.
> Thanks, patch looks good, committed to HEAD. Have you got a manpage
> update, by the way?
Here's the chunk for ldap.conf(5), diffed against the trunk. None of the
LDAP_OPT_X_TLS* options appear to be documented, so I didn't add anything
RCS file: /data/cvs/openldap/pkg/ldap/doc/man/man5/ldap.conf.5,v
retrieving revision 1.50
diff -u -r1.50 ldap.conf.5
--- doc/man/man5/ldap.conf.5 26 Jan 2009 01:54:32 -0000 1.50
+++ doc/man/man5/ldap.conf.5 19 Mar 2009 18:22:00 -0000
@@ -336,6 +336,19 @@
+.B TLS_PROTOCOL_MIN <major>[.<minor>]
+Specifies minimum SSL protocol version that will be negoiated.
+If the server doesn't support at least that version,
+the SSL handshake will fail.
+To require TLS 1.x or higher, set this option to 3.(x+1),
+.B TLS_PROTOCOL_MIN 3.2
+would require TLS 1.1.
+Specifying a minimum that is higher than that supported by the
+OpenLDAP implementation will result it in requiring the
+highest level that it does support.
+This parameter is currently ignored with GNUtls.
.B TLS_RANDFILE <filename>
Specifies the file to obtain random bits from when /dev/[u]random is
not available. Generally set to the name of the EGD/PRNGD socket.