--On Thursday, December 01, 2016 6:24 PM +0000 David Ward daward@Brocade.COM wrote:
Hi David,
I'm looking for a test method to restrict the level of TLS used with slapd. I'm running ver 2.4.40 which supports TLS 1.2. I see the undocumented command 'TLSProtocolMin' to require minimum strength. I would like to disable certain version.
I'm unclear what you mean by undocumented. It is clearly documented in the slapd.conf(5) man page (for 2.4.44), which you can freely view on the OpenLDAP.org website:
TLSProtocolMin <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g.,
TLSProtocolMin 3.2
would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This directive is ignored with GnuTLS.
There is not, as far as I know, any way to fine tune things beyond this (I.e., accept TLS 1.1 and TLS 1.3, but not TLS 1.2).
Hope that helps!
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com