That's unfortunate. I had found the freeradius command that provided that functionality(disable_tlsv1_2 = yes), and was hoping there would be something similar or openldap. The reference to it not being documented was more of a pointer to the thread, where I saw the code snippet for what looked like the feature I needed.
-David
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@symas.com] Sent: Thursday, December 01, 2016 1:31 PM To: David Ward daward@Brocade.COM; openldap-technical@openldap.org Subject: Re: restrict openldap TLS version
--On Thursday, December 01, 2016 6:24 PM +0000 David Ward daward@Brocade.COM wrote:
Hi David,
I'm looking for a test method to restrict the level of TLS used with slapd. I'm running ver 2.4.40 which supports TLS 1.2. I see the undocumented command 'TLSProtocolMin' to require minimum strength. I would like to disable certain version.
I'm unclear what you mean by undocumented. It is clearly documented in the slapd.conf(5) man page (for 2.4.44), which you can freely view on the OpenLDAP.org website:
TLSProtocolMin <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g.,
TLSProtocolMin 3.2
would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This directive is ignored with GnuTLS.
There is not, as far as I know, any way to fine tune things beyond this (I.e., accept TLS 1.1 and TLS 1.3, but not TLS 1.2).
Hope that helps!
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DgIC... c=IL_XqQWOjubgfqINi2jTzg&r=puVQPEL4OAOfXPfBV9pguYCDqWBdNNSewb8Sk_RDtcw&m=SdL SOSNRFjvbZgM10Twnx5j9Knfg5O4VGEzvUR2tWXY&s=W7z4aHwz_y1M6GVeNlw9u17_47QPWv4Wm j_9Nn5U_bw&e= >