On Sun, Nov 14, 2021 at 14:46:44 -0800, Quanah Gibson-Mount wrote: > Yes. You will need to consult the GnuTLS documentation. The slapd man page > clearly states that the TLSProtocolMin option is ignored when linked to > GnuTLS. I generally advise linking to OpenSSL for a number of different > reasons. I believe with GnuTLS you do this via the TLSCipherSuite option to > slapd. See also > <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-working_with_cipher_suites_in_gnutls>. > > One example from Exim sets the cipher suites to: NORMAL:!VERS-SSL3.0 > > so that may be of help. See also the slapd.conf(5) man page section on > TLSCipherSuite for the GnuTLS command line to print out relevant > information. >
Another option for GnuTLS is to create an /etc/gnutls/config (or another file referenced in GNUTLS_SYSTEM_PRIORITY_FILE from slapd's environment), and put your TLS configuration there, eg.: [overrides] disabled-version = ssl3.0 See https://www.gnutls.org/manual/html_node/System_002dwide-configuration-of-the-library.html for all configuration options. Geert
