I'll just assume it's in the right location in the file as it doesn't error out.
If it's in the correct location of the conf file that you're loading then it should work.
Have you checked with RedHat to make sure they haven't messed with it?
They're famous for that.
As an alternative you can compile it yourself.

Nick

On Wed, Nov 3, 2021 at 1:14 PM Ballem, Narayanan <Narayanan.Ballem@staples.com> wrote:

Yes along with TLS certs as well.

 

cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin

TLSProtocolMin 3.2

 

-Narayanan

From: Nick Folino <nick@folino.us>
Sent: Wednesday, November 3, 2021 7:14 AM
To: Ballem, Narayanan <Narayanan.Ballem@Staples.com>
Cc: openldap-technical@openldap.org
Subject: Re: [EXT]:Re: OpenLDAP SSLV3 disable

 

Where in the slapd.conf did you put the tlsprotocolmin statement?

 

Nick

 

On Wed, Nov 3, 2021 at 7:00 AM Ballem, Narayanan <Narayanan.Ballem@staples.com> wrote:

It’s rhel7 , openldap version is 2.4.54 and we use slapd.conf.

 

Narayanan


From: Nick Folino <nick@folino.us>
Sent: Wednesday, November 3, 2021 6:14:29 AM
To: Ballem, Narayanan <Narayanan.Ballem@Staples.com>
Cc: openldap-technical@openldap.org <openldap-technical@openldap.org>
Subject: [EXT]:Re: OpenLDAP SSLV3 disable

 

What version of RHEL?  OpenLDAP?  openssl?

Is your installation using slapd.conf? or is it using cn=config?

 

Nick

 

On Tue, Nov 2, 2021 at 10:13 PM Ballem, Narayanan <Narayanan.Ballem@staples.com> wrote:

 

 

HI Team,

 

Hope you can help with this issue.

 

I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3. Based on earlier update from OpenLdap Technical support team, I added “TLSProtocolMin 3.2” and able to restart slapd service as well without any issue.

 

However when we tried to test SSLV3 connectivity it’s still showing SSLv3 enabled .

This OpenLDAP server built on RHEL server with locally compiled and openssl rpm/binaries are part of base RHEL OS image.

 

 

cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin

TLSProtocolMin 3.2

 

openssl s_client -connect localhost:1636 -ssl3 -quiet

depth=3 CN = XXX Root Certificate Authority

verify return:1

 

SSLV3 is insecure as you know we are looking to disable this asap . Any help in addressing this much appreciated.

 

Thanks

Narayanan

Linux Platform Engineering

500 Staples Drive, Framingham MA

Office:  508-253-6909 | Mobile: 508-333-4395

signature_1767107679