--On Thursday, December 01, 2016 6:24 PM +0000 David Ward
I'm looking for a test method to restrict the level of TLS used with
slapd. I'm running ver 2.4.40 which supports TLS 1.2. I see the
undocumented command 'TLSProtocolMin' to require minimum strength. I
would like to disable certain version.
I'm unclear what you mean by undocumented. It is clearly documented in the
slapd.conf(5) man page (for 2.4.44), which you can freely view on the
Specifies minimum SSL/TLS protocol version that will
negotiated. If the server doesn't support at least
version, the SSL handshake will fail. To require TLS 1.x
higher, set this option to 3.(x+1), e.g.,
would require TLS 1.1. Specifying a minimum that is higher
that supported by the OpenLDAP implementation will result in
requiring the highest level that it does support.
directive is ignored with GnuTLS.
There is not, as far as I know, any way to fine tune things beyond this
(I.e., accept TLS 1.1 and TLS 1.3, but not TLS 1.2).
Hope that helps!
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: