Re: How to configure OpenLDAP on Debian Stretch to support SSLv3.0

[Quanah Gibson-Mount <quanah@symas.com>]

--On Tuesday, July 02, 2019 12:58 PM +1000 Jeremy Davis 
<jeremy@turnkeylinux.org> wrote:

> Hi all,
>
> I'm writing on behalf of a user ragrading how to go about configuring
> LDAPS support for SSLv3.0 certificate under OpenLDAP v2.4.44 - running
> on Debian 9/Stretch (default Debian 'slapd' package install).

Hi Jeremy,

I don't have a system in front of me to test this against, but in reading 
the slapd.conf(5) man page, it's fairly clear that:

a) GnuTLS ignores the TLSProtocolMin directive, so you can't use that and

b) That the way to do this with GnuTLS is via the TLSCipherSuite setting. 
The man page directs one to look at the gnutls-cli(1) man page, in 
particular, the --priority setting.

If we pull up this man page (<https://linux.die.net/man/1/gnutls-cli> for 
example), there are some examples provided there.  Based on those examples, 
it looks like perhaps something along the lines of:

"NONE:+VERS-SSL3.0" would enable *just* SSL3.0.  I'd guess you could set it 
to something like "NORMAL:+VERS-SSL3.0" or perhaps "EXPORT:+VERS-SSL3.0"

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>