[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: restrict openldap TLS version
- To: Quanah Gibson-Mount <quanah@symas.com>
- Subject: Re: restrict openldap TLS version
- From: Philip Guenther <pguenther@proofpoint.com>
- Date: Thu, 1 Dec 2016 12:22:27 -0800
- Cc: David Ward <daward@Brocade.COM>, openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proofpoint.com; h=date : from : to : cc : subject : in-reply-to : message-id : references : mime-version : content-type; s=corp-2016-04-19; bh=4DIJzX1zTjQ7MlTOXHz7ZehZq8dGHscJlDE226PpuQY=; b=nwjxlL0kAetTLFL1voIOnxzx8qrYJNY7mRb/lZtiEXA+A5yMzFy5jVfEAexyzQuJ7ASm ETinWX+9Dys6c31pp5YXTc/HMTNGf+hhu9Svco9vb47vClHmiyJoJi8ZJtJWMQwrupqS dDf04uslGEJMPBDAwdFO9QJZsA9JKnPos45sa7NUCIiXnim9E7qw51lcVHhDKFIAt5G1 ON+2OUy9iYdvsYeZuaR71/+Oo/vh0biBn7vRC2x4Tafsx/9pcpRtKgX3+Bp4ZaCdp3Al 3t0LvYpuUTTX+lZxew4N7HY9AYriRz0X5IgwjB5HPBlDb+Hr9oxPB/eirWmiTDCg9kP7 QQ==
- In-reply-to: <F73198B65CB0F5DB8B6A7B81@[192.168.1.19]>
- References: <0d06f8d0c0974f7ab9666e350f744e22@BRMWP-EXMB12.corp.brocade.com> <WM!6196eed8ac0be47348da6d7558ba7513e7c536d94d4b60e85b7d18d949ff04ec13aba8d92502b2d1ef432c9fc4f73234!@mailstronghold-1.zmailcloud.com> <F73198B65CB0F5DB8B6A7B81@[192.168.1.19]>
- User-agent: Alpine 2.20 (BSO 67 2015-01-07)
On Thu, 1 Dec 2016, David Ward <daward@Brocade.COM> wrote:
> I'm looking for a test method to restrict the level of TLS used with
> slapd. I'm running ver 2.4.40 which supports TLS 1.2. I see the
> undocumented command 'TLSProtocolMin' to require minimum strength. I
> would like to disable certain version.
OpenLDAP doesn't provide any way to turn off support for the highest
protocol version supported by the OpenSSL it is built against. If you
build against a modern OpenSSL, you get TLS 1.2 no matter what. If you
need to test client operation against a server that doesn't support TLS
1.2 then you'll need to hack OpenLDAP to disable it, perhaps adding a
TLSProtocolMax option to your tree.
Philip Guenther