[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: restrict openldap TLS version

To: Quanah Gibson-Mount <quanah@symas.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: restrict openldap TLS version
From: David Ward <daward@Brocade.COM>
Date: Thu, 1 Dec 2016 21:01:47 +0000
Accept-language: en-US
Content-language: en-US
In-reply-to: <F73198B65CB0F5DB8B6A7B81@[192.168.1.19]>
References: <0d06f8d0c0974f7ab9666e350f744e22@BRMWP-EXMB12.corp.brocade.com> <WM!6196eed8ac0be47348da6d7558ba7513e7c536d94d4b60e85b7d18d949ff04ec13aba8d92502b2d1ef432c9fc4f73234!@mailstronghold-1.zmailcloud.com> <F73198B65CB0F5DB8B6A7B81@[192.168.1.19]>
Thread-index: AdJL/4IjDRh1/VXBQtWzaMrSEY78EwAEms9ZAAD00+A=
Thread-topic: restrict openldap TLS version

That's unfortunate. I had found the freeradius command that provided that
functionality(disable_tlsv1_2 = yes), and was hoping there would be
something similar or openldap. The reference to it not being documented was
more of a pointer to the thread, where I saw the code snippet for what
looked like the feature I needed.

-David


-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@symas.com] 
Sent: Thursday, December 01, 2016 1:31 PM
To: David Ward <daward@Brocade.COM>; openldap-technical@openldap.org
Subject: Re: restrict openldap TLS version

--On Thursday, December 01, 2016 6:24 PM +0000 David Ward
<daward@Brocade.COM> wrote:


Hi David,

> I'm looking for a test method to restrict the level of TLS used with
> slapd. I'm running ver 2.4.40 which supports TLS 1.2. I see the
> undocumented command 'TLSProtocolMin' to require minimum strength. I
> would like to disable certain version.

I'm unclear what you mean by undocumented.  It is clearly documented in the 
slapd.conf(5) man page (for 2.4.44), which you can freely view on the 
OpenLDAP.org website:


       TLSProtocolMin <major>[.<minor>]
              Specifies   minimum   SSL/TLS  protocol  version  that  will 
be
              negotiated.   If  the  server  doesn't  support  at  least 
that
              version,  the  SSL  handshake  will fail.  To require TLS 1.x 
or
              higher, set this option to 3.(x+1), e.g.,

                   TLSProtocolMin 3.2

              would require TLS 1.1.  Specifying a minimum that is higher 
than
              that  supported by the OpenLDAP implementation will result in 
it
              requiring  the  highest  level  that  it  does  support. 
This
              directive is ignored with GnuTLS.

There is not, as far as I know, any way to fine tune things beyond this 
(I.e., accept TLS 1.1 and TLS 1.3, but not TLS 1.2).

Hope that helps!

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DgICAg&;
c=IL_XqQWOjubgfqINi2jTzg&r=puVQPEL4OAOfXPfBV9pguYCDqWBdNNSewb8Sk_RDtcw&m=SdL
SOSNRFjvbZgM10Twnx5j9Knfg5O4VGEzvUR2tWXY&s=W7z4aHwz_y1M6GVeNlw9u17_47QPWv4Wm
j_9Nn5U_bw&e= >

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- restrict openldap TLS version
  - From: David Ward <daward@Brocade.COM>
- Re: restrict openldap TLS version
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: restrict openldap TLS version
Next by Date: Re: restrict openldap TLS version
Index(es):
- Chronological
- Thread