9.6. Setting the Encryption Protocol Versions

Update the sslVersionMin and sslVersionMax parameters to set which encryption protocols Directory Server uses.

Important

To always use the strongest supported encryption protocol version in the sslVersionMax parameter, do not set this parameter. See Section 9.6.1, “Automatically Using the Strongest Protocol in the sslVersionMax Parameter”.
For example, to enable only TLS 1.1 and 1.2:
  1. Update the sslVersionMin and sslVersionMax parameters: 
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: cn=encryption,cn=config
changetype: modify
replace: sslVersionMin
sslVersionMin: TLS1.1
-
replace: sslVersionMax
sslVersionMax: TLS1.2
  2. Restart the Directory Server instance: 
    # systemctl restart dirsrv@instance_name

9.6.1. Automatically Using the Strongest Protocol in the sslVersionMax Parameter

If the sslVersionMax parameter is not set, which is the default, Directory Server uses the strongest supported encryption protocol version for this parameter. This enables you to always have the strongest protocol version enabled after an update.

Identifying if sslVersionMax is Not Set

Even if sslVersionMax is not set, the parameter is returned in a search. To identify if the parameter is not set: 
# grep sslVersionMax /etc/dirsrv/slapd-instance_name/dse.ldif
If the command displays no output, the parameter is not set and uses the default, which is the strongest supported encryption protocol.

Removing the sslVersionMax Parameter

Remove the sslVersionMax parameter to use its default setting:
  1. Remove the sslVersionMax parameter: 
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: cn=encryption,cn=config
changetype: modify
delete: sslVersionMax
  2. Restart the Directory Server instance: 
    # systemctl restart dirsrv@instance_name