directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ogg <...@sr375.com>
Subject Re: StartTLS enforced
Date Thu, 25 Feb 2016 17:25:47 GMT
sure, i was aware of this feature, however it would be nice to see a roadmap to have those
insecure versions actually removed from apacheDS, eg promote better security choices by not
offering obviously broken protocols. 


> On Feb 25, 2016, at 9:23 AM, Emmanuel Lécharny <elecharny@gmail.com> wrote:
> 
> Le 25/02/16 17:59, Ogg a écrit :
>> I also would be interested in the feature. It, would also be interesting to deprecate
TLS 1.0, TLS 1.1  and SSL any flavor.
> 
> You can actually prohibit the use of ancient versions of SSL/TLS. We
> have added some parameter to do that : ads-enabledProtocols. For instance :
> 
> dn:
> ads-transportid=ldaps,ou=transports,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
> ads-systemport: 10636
> ads-transportenablessl: true
> ads-transportaddress: localhost
> ads-transportid: ldaps
> ads-needClientAuth: false
> ads-wantClientAuth: true
> ads-enabledCiphers: AAA
> ads-enabledCiphers: BBB
> ads-enabledCiphers: CCC
> ads-enabledCiphers: DDD
> ads-enabledProtocols: TLSv1
> ads-enabledProtocols: TLSv1.1
> ads-enabledProtocols: TLSv1.2
> objectclass: ads-transport
> objectclass: ads-tcpTransport
> objectclass: top
> ads-enabled: true
> 
> 
> enables TLSv1, TLSv1.1 and TLSv1.2. You can just remove the two first
> parameters.


Mime
View raw message