From: Howard Chu Date: Mon, 29 Jul 2013 13:50:18 +0000 (-0700) Subject: ITS#7645, #5655 TLSProtocolMin docs X-Git-Tag: OPENLDAP_REL_ENG_2_4_36~24 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=5f6e1f74a81d00920c9ea94124a1badcd68aad11;p=openldap ITS#7645, #5655 TLSProtocolMin docs --- diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 index c0bdfac5b1..7f5bc64711 100644 --- a/doc/man/man5/ldap.conf.5 +++ b/doc/man/man5/ldap.conf.5 @@ -413,7 +413,11 @@ If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g., -.B TLS_PROTOCOL_MIN 3.2 + +.nf + TLS_PROTOCOL_MIN 3.2 +.fi + would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index 31643c773e..3a55339e66 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -918,6 +918,23 @@ from the default, otherwise no certificate exchanges or verification will be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly so this directive is ignored. .TP +.B olcTLSProtocolMin: [.] +Specifies minimum SSL/TLS protocol version that will be negotiated. +If the server doesn't support at least that version, +the SSL handshake will fail. +To require TLS 1.x or higher, set this option to 3.(x+1), +e.g., + +.nf + olcTLSProtocolMin: 3.2 +.fi + +would require TLS 1.1. +Specifying a minimum that is higher than that supported by the +OpenLDAP implementation will result in it requiring the +highest level that it does support. +This directive is ignored with GnuTLS. +.TP .B olcTLSRandFile: Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 352cc7ec83..6f13009aee 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1149,6 +1149,23 @@ from the default, otherwise no certificate exchanges or verification will be done. When using GnuTLS these parameters are always generated randomly so this directive is ignored. This directive is ignored when using Mozilla NSS. .TP +.B TLSProtocolMin [.] +Specifies minimum SSL/TLS protocol version that will be negotiated. +If the server doesn't support at least that version, +the SSL handshake will fail. +To require TLS 1.x or higher, set this option to 3.(x+1), +e.g., + +.nf + TLSProtocolMin 3.2 +.fi + +would require TLS 1.1. +Specifying a minimum that is higher than that supported by the +OpenLDAP implementation will result in it requiring the +highest level that it does support. +This directive is ignored with GnuTLS. +.TP .B TLSRandFile Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket.