From fbeee4d27f447ab3418c2ac69f7c178493ce8a24 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Mon, 29 Jul 2013 06:50:18 -0700 Subject: [PATCH] ITS#7645, #5655 TLSProtocolMin docs --- doc/man/man5/ldap.conf.5 | 6 +++++- doc/man/man5/slapd-config.5 | 17 +++++++++++++++++ doc/man/man5/slapd.conf.5 | 17 +++++++++++++++++ 3 files changed, 39 insertions(+), 1 deletion(-) diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 index c0bdfac5b1..7f5bc64711 100644 --- a/doc/man/man5/ldap.conf.5 +++ b/doc/man/man5/ldap.conf.5 @@ -413,7 +413,11 @@ If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g., -.B TLS_PROTOCOL_MIN 3.2 + +.nf + TLS_PROTOCOL_MIN 3.2 +.fi + would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index 5602851256..af8beb33a7 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -928,6 +928,23 @@ from the default, otherwise no certificate exchanges or verification will be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly so this directive is ignored. .TP +.B olcTLSProtocolMin: [.] +Specifies minimum SSL/TLS protocol version that will be negotiated. +If the server doesn't support at least that version, +the SSL handshake will fail. +To require TLS 1.x or higher, set this option to 3.(x+1), +e.g., + +.nf + olcTLSProtocolMin: 3.2 +.fi + +would require TLS 1.1. +Specifying a minimum that is higher than that supported by the +OpenLDAP implementation will result in it requiring the +highest level that it does support. +This directive is ignored with GnuTLS. +.TP .B olcTLSRandFile: Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 8eb1dc9d29..70116df6ca 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1159,6 +1159,23 @@ from the default, otherwise no certificate exchanges or verification will be done. When using GnuTLS these parameters are always generated randomly so this directive is ignored. This directive is ignored when using Mozilla NSS. .TP +.B TLSProtocolMin [.] +Specifies minimum SSL/TLS protocol version that will be negotiated. +If the server doesn't support at least that version, +the SSL handshake will fail. +To require TLS 1.x or higher, set this option to 3.(x+1), +e.g., + +.nf + TLSProtocolMin 3.2 +.fi + +would require TLS 1.1. +Specifying a minimum that is higher than that supported by the +OpenLDAP implementation will result in it requiring the +highest level that it does support. +This directive is ignored with GnuTLS. +.TP .B TLSRandFile Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. -- 2.39.5