Re: restrict openldap TLS version

[Quanah Gibson-Mount <quanah@symas.com>]

--On Thursday, December 01, 2016 6:24 PM +0000 David Ward 
<daward@Brocade.COM> wrote:


Hi David,

> I'm looking for a test method to restrict the level of TLS used with
> slapd. I'm running ver 2.4.40 which supports TLS 1.2. I see the
> undocumented command 'TLSProtocolMin' to require minimum strength. I
> would like to disable certain version.

I'm unclear what you mean by undocumented.  It is clearly documented in the 
slapd.conf(5) man page (for 2.4.44), which you can freely view on the 
OpenLDAP.org website:


      TLSProtocolMin <major>[.<minor>]
             Specifies   minimum   SSL/TLS  protocol  version  that  will 
be
             negotiated.   If  the  server  doesn't  support  at  least 
that
             version,  the  SSL  handshake  will fail.  To require TLS 1.x 
or
             higher, set this option to 3.(x+1), e.g.,

                  TLSProtocolMin 3.2

             would require TLS 1.1.  Specifying a minimum that is higher 
than
             that  supported by the OpenLDAP implementation will result in 
it
             requiring  the  highest  level  that  it  does  support. 
This
             directive is ignored with GnuTLS.

There is not, as far as I know, any way to fine tune things beyond this 
(I.e., accept TLS 1.1 and TLS 1.3, but not TLS 1.2).

Hope that helps!

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>