Yes along with TLS certs as well.
cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin TLSProtocolMin 3.2 -Narayanan From: Nick Folino <[email protected]> Sent: Wednesday, November 3, 2021 7:14 AM To: Ballem, Narayanan <[email protected]> Cc: [email protected] Subject: Re: [EXT]:Re: OpenLDAP SSLV3 disable Where in the slapd.conf did you put the tlsprotocolmin statement? Nick On Wed, Nov 3, 2021 at 7:00 AM Ballem, Narayanan <[email protected]<mailto:[email protected]>> wrote: It's rhel7 , openldap version is 2.4.54 and we use slapd.conf. Narayanan Get Outlook for iOS<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CNarayanan.Ballem%40staples.com%7C9b7abc22416a4e6da9fa08d99ebb143e%7Cb101f7ab56ac485fb3975279698fdf7d%7C1%7C0%7C637715348622830176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=A5fgtY7YOI4TDxwscwNchjuaLzSfTdjttN868XjM1bM%3D&reserved=0> ________________________________ From: Nick Folino <[email protected]<mailto:[email protected]>> Sent: Wednesday, November 3, 2021 6:14:29 AM To: Ballem, Narayanan <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: [EXT]:Re: OpenLDAP SSLV3 disable What version of RHEL? OpenLDAP? openssl? Is your installation using slapd.conf? or is it using cn=config? Nick On Tue, Nov 2, 2021 at 10:13 PM Ballem, Narayanan <[email protected]<mailto:[email protected]>> wrote: HI Team, Hope you can help with this issue. I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3. Based on earlier update from OpenLdap Technical support team, I added "TLSProtocolMin 3.2" and able to restart slapd service as well without any issue. However when we tried to test SSLV3 connectivity it's still showing SSLv3 enabled . This OpenLDAP server built on RHEL server with locally compiled and openssl rpm/binaries are part of base RHEL OS image. cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin TLSProtocolMin 3.2 openssl s_client -connect localhost:1636 -ssl3 -quiet depth=3 CN = XXX Root Certificate Authority verify return:1 SSLV3 is insecure as you know we are looking to disable this asap . Any help in addressing this much appreciated. Thanks Narayanan Linux Platform Engineering 500 Staples Drive, Framingham MA Office: 508-253-6909 | Mobile: 508-333-4395 [signature_1767107679]
