Where in the slapd.conf did you put the tlsprotocolmin statement? Nick
On Wed, Nov 3, 2021 at 7:00 AM Ballem, Narayanan < [email protected]> wrote: > It’s rhel7 , openldap version is 2.4.54 and we use slapd.conf. > > Narayanan > > Get Outlook for iOS <https://aka.ms/o0ukef> > ------------------------------ > *From:* Nick Folino <[email protected]> > *Sent:* Wednesday, November 3, 2021 6:14:29 AM > *To:* Ballem, Narayanan <[email protected]> > *Cc:* [email protected] <[email protected]> > *Subject:* [EXT]:Re: OpenLDAP SSLV3 disable > > What version of RHEL? OpenLDAP? openssl? > Is your installation using slapd.conf? or is it using cn=config? > > Nick > > On Tue, Nov 2, 2021 at 10:13 PM Ballem, Narayanan < > [email protected]> wrote: > > > > > > HI Team, > > > > Hope you can help with this issue. > > > > I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as > a proxy with upstream Active directory servers. we are using CA certs on > this openssl we would like to disable SSLV3. Based on earlier update from > OpenLdap Technical support team, I added “TLSProtocolMin 3.2” and able to > restart slapd service as well without any issue. > > > > However when we tried to test SSLV3 connectivity it’s still showing SSLv3 > enabled . > > This OpenLDAP server built on RHEL server with locally compiled and > openssl rpm/binaries are part of base RHEL OS image. > > > > > > cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin > > TLSProtocolMin 3.2 > > > > openssl s_client -connect localhost:1636 -ssl3 -quiet > > depth=3 CN = XXX Root Certificate Authority > > verify return:1 > > > > SSLV3 is insecure as you know we are looking to disable this asap . Any > help in addressing this much appreciated. > > > > Thanks > > *Narayanan* > > *Linux Platform Engineering* > > 500 Staples Drive, Framingham MA > > Office: 508-253-6909 | Mobile: 508-333-4395 > > [image: signature_1767107679] > > > >
