Where in the slapd.conf did you put the tlsprotocolmin statement?

Nick

On Wed, Nov 3, 2021 at 7:00 AM Ballem, Narayanan <Narayanan.Ballem@staples.com> wrote:
It’s rhel7 , openldap version is 2.4.54 and we use slapd.conf.

Narayanan

From: Nick Folino <nick@folino.us>
Sent: Wednesday, November 3, 2021 6:14:29 AM
To: Ballem, Narayanan <Narayanan.Ballem@Staples.com>
Cc: openldap-technical@openldap.org <openldap-technical@openldap.org>
Subject: [EXT]:Re: OpenLDAP SSLV3 disable
 
What version of RHEL?  OpenLDAP?  openssl?
Is your installation using slapd.conf? or is it using cn=config?

Nick

On Tue, Nov 2, 2021 at 10:13 PM Ballem, Narayanan <Narayanan.Ballem@staples.com> wrote:

 

 

HI Team,

 

Hope you can help with this issue.

 

I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3. Based on earlier update from OpenLdap Technical support team, I added “TLSProtocolMin 3.2” and able to restart slapd service as well without any issue.

 

However when we tried to test SSLV3 connectivity it’s still showing SSLv3 enabled .

This OpenLDAP server built on RHEL server with locally compiled and openssl rpm/binaries are part of base RHEL OS image.

 

 

cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin

TLSProtocolMin 3.2

 

openssl s_client -connect localhost:1636 -ssl3 -quiet

depth=3 CN = XXX Root Certificate Authority

verify return:1

 

SSLV3 is insecure as you know we are looking to disable this asap . Any help in addressing this much appreciated.

 

Thanks

Narayanan

Linux Platform Engineering

500 Staples Drive, Framingham MA

Office:  508-253-6909 | Mobile: 508-333-4395

signature_1767107679