Oops, I was just missing the -H ldapi:/// along with the -Y EXTERNAL Now the following works (well, with slapd, not with the textarea on this site, WTF? :-( ):
ldapmodify -Y EXTERNAL -H ldapi:/// <<'EOF' dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: SECURE:-VERS-SSL3.0:-3DES-CBC:-ARCFOUR-128:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION:%FALLBACK_SCSV EOF %SERVER_PRECEDENCE does fix the "server cipher order" => good However %FALLBACK_SCSV fails to fix "TLS_FALLBACK_SCSV (RFC 7507)" which now says "some unexpected "handshake failure" instead of "inappropriate fallback" (likely NOT ok)" Moreover, %SAFE_RENEGOTIATION fails to fix "Secure Client-Initiated Renegotiation", it still says VULNERABLE (NOT ok), DoS threat. Or maybe, there's a different setting needed for that? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1591681 Title: Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1591681/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
