sure, i was aware of this feature, however it would be nice to see a roadmap to have those insecure versions actually removed from apacheDS, eg promote better security choices by not offering obviously broken protocols.
> On Feb 25, 2016, at 9:23 AM, Emmanuel Lécharny <[email protected]> wrote: > > Le 25/02/16 17:59, Ogg a écrit : >> I also would be interested in the feature. It, would also be interesting to >> deprecate TLS 1.0, TLS 1.1 and SSL any flavor. > > You can actually prohibit the use of ancient versions of SSL/TLS. We > have added some parameter to do that : ads-enabledProtocols. For instance : > > dn: > ads-transportid=ldaps,ou=transports,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config > ads-systemport: 10636 > ads-transportenablessl: true > ads-transportaddress: localhost > ads-transportid: ldaps > ads-needClientAuth: false > ads-wantClientAuth: true > ads-enabledCiphers: AAA > ads-enabledCiphers: BBB > ads-enabledCiphers: CCC > ads-enabledCiphers: DDD > ads-enabledProtocols: TLSv1 > ads-enabledProtocols: TLSv1.1 > ads-enabledProtocols: TLSv1.2 > objectclass: ads-transport > objectclass: ads-tcpTransport > objectclass: top > ads-enabled: true > > > enables TLSv1, TLSv1.1 and TLSv1.2. You can just remove the two first > parameters.
