It’s rhel7 , openldap version is 2.4.54 and we use slapd.conf. Narayanan Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: Nick Folino <nick(a)folino.us&gt; Sent: Wednesday, November 3, 2021 6:14:29 AM To: Ballem, Narayanan <Narayanan.Ballem(a)Staples.com&gt; Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org&gt; Subject: [EXT]:Re: OpenLDAP SSLV3 disable What version of RHEL? OpenLDAP? openssl? Is your installation using slapd.conf? or is it using cn=config? Nick On Tue, Nov 2, 2021 at 10:13 PM Ballem, Narayanan <Narayanan.Ballem@staples.com<mailto:Narayanan.Ballem@staples.com>> wrote: HI Team, Hope you can help with this issue. I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3. Based on earlier update from OpenLdap Technical support team, I added “TLSProtocolMin 3.2” and able to restart slapd service as well without any issue. However when we tried to test SSLV3 connectivity it’s still showing SSLv3 enabled . This OpenLDAP server built on RHEL server with locally compiled and openssl rpm/binaries are part of base RHEL OS image. cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin TLSProtocolMin 3.2 openssl s_client -connect localhost:1636 -ssl3 -quiet depth=3 CN = XXX Root Certificate Authority verify return:1 SSLV3 is insecure as you know we are looking to disable this asap . Any help in addressing this much appreciated. Thanks Narayanan Linux Platform Engineering 500 Staples Drive, Framingham MA Office: 508-253-6909 | Mobile: 508-333-4395 [signature_1767107679]

Yes along with TLS certs as well. cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin TLSProtocolMin 3.2 -Narayanan From: Nick Folino <nick(a)folino.us&gt; Sent: Wednesday, November 3, 2021 7:14 AM To: Ballem, Narayanan <Narayanan.Ballem(a)Staples.com&gt; Cc: openldap-technical(a)openldap.org Subject: Re: [EXT]:Re: OpenLDAP SSLV3 disable Where in the slapd.conf did you put the tlsprotocolmin statement? Nick On Wed, Nov 3, 2021 at 7:00 AM Ballem, Narayanan <Narayanan.Ballem@staples.com<mailto:Narayanan.Ballem@staples.com>> wrote: It's rhel7 , openldap version is 2.4.54 and we use slapd.conf. Narayanan Get Outlook for iOS<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2F... ________________________________ From: Nick Folino <nick@folino.us<mailto:nick@folino.us>> Sent: Wednesday, November 3, 2021 6:14:29 AM To: Ballem, Narayanan <Narayanan.Ballem@Staples.com<mailto:Narayanan.Ballem@Staples.com>> Cc: openldap-technical@openldap.org<mailto:openldap-technical@openldap.org> <openldap-technical@openldap.org<mailto:openldap-technical@openldap.org>> Subject: [EXT]:Re: OpenLDAP SSLV3 disable What version of RHEL? OpenLDAP? openssl? Is your installation using slapd.conf? or is it using cn=config? Nick On Tue, Nov 2, 2021 at 10:13 PM Ballem, Narayanan <Narayanan.Ballem@staples.com<mailto:Narayanan.Ballem@staples.com>> wrote: HI Team, Hope you can help with this issue. I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3. Based on earlier update from OpenLdap Technical support team, I added "TLSProtocolMin 3.2" and able to restart slapd service as well without any issue. However when we tried to test SSLV3 connectivity it's still showing SSLv3 enabled . This OpenLDAP server built on RHEL server with locally compiled and openssl rpm/binaries are part of base RHEL OS image. cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin TLSProtocolMin 3.2 openssl s_client -connect localhost:1636 -ssl3 -quiet depth=3 CN = XXX Root Certificate Authority verify return:1 SSLV3 is insecure as you know we are looking to disable this asap . Any help in addressing this much appreciated. Thanks Narayanan Linux Platform Engineering 500 Staples Drive, Framingham MA Office: 508-253-6909 | Mobile: 508-333-4395 [signature_1767107679]

--On Tuesday, November 2, 2021 11:38 PM +0000 "Ballem, Narayanan" <Narayanan.Ballem(a)Staples.com&gt; wrote: I am unable to reproduce this on RHEL7. With no TLS protocol min set: openssl s_client -connect localhost:636 -ssl3 -quiet depth=0 CN = c7rpmtest verify error:num=18:self signed certificate verify return:1 depth=0 CN = c7rpmtest verify error:num=10:certificate has expired notAfter=Aug 12 23:14:52 2020 GMT verify return:1 depth=0 CN = c7rpmtest notAfter=Aug 12 23:14:52 2020 GMT verify return:1 With TLS protocol min set to 3.2 or 3.3: # openssl s_client -connect localhost:636 -ssl3 -quiet 140008023218064:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: It appears you are modifying slapd.conf, while the default RHEL7 packages use cn=config, so modifications made to a slapd.conf file would have no effect if cn=config is in use. As an aside I would note that OpenLDAP 2.4.54 is rather old and that the 2.4 release series is historic and no longer supported. You may wish to avail yourself of the free replacement packages for RHEL7 that are provided by Symas at <https://repo.symas.com/soldap/> which are linked to a current release of OpenSSL vs the ancient RHEL7 openssl, and are also for the current supported OpenLDAP 2.6 release series. If you are insistent on using the historic unsupported OpenLDAP 2.4 release, we also have free replacement packages providing OpenLDAP 2.4.59 on RHEL7 at <https://repo.symas.com/sofl/rhel7/>;. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>