guenther+ldapdev@sendmail.com wrote:
It's time for SSL version 2.0 to die:
Yupp!
As a first step, here's a patch against the CVS trunk that adds the ability to set the minimum TLS/SSL protocol from the C API (LDAP_OPT_X_TLS_PROTOCOL_MIN), the ldap.conf (TLS_PROTOCOL_MIN), and the slapd config (TLSProtocolMin/olcTLSProtocolMin). Possible settings are: C API ldap_[sg]et_option() ldap.conf/slapd config
LDAP_OPT_X_TLS_PROTOCOL_SSLv2 SSLv2 LDAP_OPT_X_TLS_PROTOCOL_SSLv3 SSLv3 LDAP_OPT_X_TLS_PROTOCOL_TLSv1_0 TLSv1 OR TLSv1.0
From my understanding this is what LDAP_OPT_X_TLS_CIPHER_SUITE is for, isn't it? It's directly passed to OpenSSL and can also be used to enable or disable SSLv2, SSLv3 and TLSv1 besides choosing the ciphers itself.
Apache HTTP server does it also that way. See: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
This patch could be necessary if different SSL implementations can be used which have different parameters for this. Still you would have to set other implementation-specific parameters...
Ciao, Michael.