directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: StartTLS enforced
Date Thu, 25 Feb 2016 17:23:41 GMT
Le 25/02/16 17:59, Ogg a écrit :
> I also would be interested in the feature. It, would also be interesting to deprecate
TLS 1.0, TLS 1.1  and SSL any flavor.

You can actually prohibit the use of ancient versions of SSL/TLS. We
have added some parameter to do that : ads-enabledProtocols. For instance :

dn:
ads-transportid=ldaps,ou=transports,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
ads-systemport: 10636
ads-transportenablessl: true
ads-transportaddress: localhost
ads-transportid: ldaps
ads-needClientAuth: false
ads-wantClientAuth: true
ads-enabledCiphers: AAA
ads-enabledCiphers: BBB
ads-enabledCiphers: CCC
ads-enabledCiphers: DDD
ads-enabledProtocols: TLSv1
ads-enabledProtocols: TLSv1.1
ads-enabledProtocols: TLSv1.2
objectclass: ads-transport
objectclass: ads-tcpTransport
objectclass: top
ads-enabled: true


enables TLSv1, TLSv1.1 and TLSv1.2. You can just remove the two first
parameters.

Mime
View raw message