[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to configure OpenLDAP on Debian Stretch to support SSLv3.0

On Tue, Jul 02, 2019 at 09:36:25AM -0700, Quanah Gibson-Mount wrote:
b) That the way to do this with GnuTLS is via the TLSCipherSuite setting. The man page directs one to look at the gnutls-cli(1) man page, in particular, the --priority setting.

If we pull up this man page (<https://linux.die.net/man/1/gnutls-cli> for example), there are some examples provided there. Based on those examples, it looks like perhaps something along the lines of:

"NONE:+VERS-SSL3.0" would enable *just* SSL3.0. I'd guess you could set it to something like "NORMAL:+VERS-SSL3.0" or perhaps "EXPORT:+VERS-SSL3.0"

NORMAL:+VERS-SSL3.0 sounds like the right idea. I'd avoid EXPORT unless really, absolutely necessary. Depending on the specific client software you may also have to enable some additional cipher suite(s).

I would also add that you can use gnutls-cli(1) to verify and test your priority strings.

e.g.: gnutls-cli -l --priority 'NORMAL:+VERS-SSL3.0' will show you the ciphers and other features enabled by that priority string, and inform you if the string is not valid.