I'll just assume it's in the right location in the file as it doesn't error out. If it's in the correct location of the conf file that you're loading then it should work. Have you checked with RedHat to make sure they haven't messed with it? They're famous for that. As an alternative you can compile it yourself.
Nick On Wed, Nov 3, 2021 at 1:14 PM Ballem, Narayanan < [email protected]> wrote: > Yes along with TLS certs as well. > > > > cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin > > TLSProtocolMin 3.2 > > > > -Narayanan > > *From:* Nick Folino <[email protected]> > *Sent:* Wednesday, November 3, 2021 7:14 AM > *To:* Ballem, Narayanan <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [EXT]:Re: OpenLDAP SSLV3 disable > > > > Where in the slapd.conf did you put the tlsprotocolmin statement? > > > > Nick > > > > On Wed, Nov 3, 2021 at 7:00 AM Ballem, Narayanan < > [email protected]> wrote: > > It’s rhel7 , openldap version is 2.4.54 and we use slapd.conf. > > > > Narayanan > > > > Get Outlook for iOS > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CNarayanan.Ballem%40staples.com%7C9b7abc22416a4e6da9fa08d99ebb143e%7Cb101f7ab56ac485fb3975279698fdf7d%7C1%7C0%7C637715348622830176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=A5fgtY7YOI4TDxwscwNchjuaLzSfTdjttN868XjM1bM%3D&reserved=0> > ------------------------------ > > *From:* Nick Folino <[email protected]> > *Sent:* Wednesday, November 3, 2021 6:14:29 AM > *To:* Ballem, Narayanan <[email protected]> > *Cc:* [email protected] <[email protected]> > *Subject:* [EXT]:Re: OpenLDAP SSLV3 disable > > > > What version of RHEL? OpenLDAP? openssl? > > Is your installation using slapd.conf? or is it using cn=config? > > > > Nick > > > > On Tue, Nov 2, 2021 at 10:13 PM Ballem, Narayanan < > [email protected]> wrote: > > > > > > HI Team, > > > > Hope you can help with this issue. > > > > I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as > a proxy with upstream Active directory servers. we are using CA certs on > this openssl we would like to disable SSLV3. Based on earlier update from > OpenLdap Technical support team, I added “TLSProtocolMin 3.2” and able to > restart slapd service as well without any issue. > > > > However when we tried to test SSLV3 connectivity it’s still showing SSLv3 > enabled . > > This OpenLDAP server built on RHEL server with locally compiled and > openssl rpm/binaries are part of base RHEL OS image. > > > > > > cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin > > TLSProtocolMin 3.2 > > > > openssl s_client -connect localhost:1636 -ssl3 -quiet > > depth=3 CN = XXX Root Certificate Authority > > verify return:1 > > > > SSLV3 is insecure as you know we are looking to disable this asap . Any > help in addressing this much appreciated. > > > > Thanks > > *Narayanan* > > *Linux Platform Engineering* > > 500 Staples Drive, Framingham MA > > Office: 508-253-6909 | Mobile: 508-333-4395 > > [image: signature_1767107679] > > > >
