On Thu, 1 Dec 2016, David Ward <daw...@brocade.com> wrote: > I'm looking for a test method to restrict the level of TLS used with > slapd. I'm running ver 2.4.40 which supports TLS 1.2. I see the > undocumented command 'TLSProtocolMin' to require minimum strength. I > would like to disable certain version.
OpenLDAP doesn't provide any way to turn off support for the highest protocol version supported by the OpenSSL it is built against. If you build against a modern OpenSSL, you get TLS 1.2 no matter what. If you need to test client operation against a server that doesn't support TLS 1.2 then you'll need to hack OpenLDAP to disable it, perhaps adding a TLSProtocolMax option to your tree. Philip Guenther