> Date: Thu, 23 Oct 2014 11:59:10 +0900
> From: [email protected]
> To: [email protected]
> Subject: Re: Redhat LDAP Client Issues when disabling SSLv3
>
> At Wed, 22 Oct 2014 16:54:24 -0500,
> Peter Boguszewski wrote:
> > Thanks for the quick response. I was also messing with the
> > olcTLSProtocolMin settings and seeing similar issues (which are now
> > verified by your answer). It appears as though RHEL 6.x does not support
> > TLS1.1 nor TLS1.2 with the yum installed packages.
>
> OpenLDAP in RHEL 6.x is version 2.4.23 that has a bug, ITS#7645.
> (See http://www.openldap.org/its/index.cgi?findid=7645)
>
> You must set olcTLSProtocolMin to 769 instead of 3.1
> for OpenLDAP 2.4.35 and older.
>
> > > Cipher suites are not protocol versions. To configure slapd to only
> > > negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented
> > > in slapd-config(5).
>
> --
> -- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp)
> -- Business Home: http://www.OSSTech.co.jp/
> -- GitHub Home: https://GitHub.com/fumiyas/
> -- PGP Fingerprint: BBE1 A1C9 525A 292E 6729 CDEC ADC2 9DCA 5E1C CBCA
>
Thank you Satoh.
I can confirm setting olcTLSProtocolMin 3.1 disabled SSLv3 in the RHEL
openldap-2.4.39-8 package.
However,
setting olcTLSProtocolMin 769 on openldap-2.4.23-34.el6_5.1 still
allows a successful SSlv3 handshake. Also, olcTLSProtocolMin is not even
documented in the slapd.conf man pages for this version.
