Show Table of Contents
9.6.1. Automatically Using the Strongest Protocol in the
Identifying if
Removing the
9.6. Setting the Encryption Protocol Versions
Update the
sslVersionMin and sslVersionMax parameters to set which encryption protocols Directory Server uses.
Important
To always use the strongest supported encryption protocol version in the
sslVersionMax parameter, do not set this parameter. See Section 9.6.1, “Automatically Using the Strongest Protocol in the sslVersionMax Parameter”.
For example, to enable only TLS 1.1 and 1.2:
- Update the
sslVersionMinandsslVersionMaxparameters:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=encryption,cn=config changetype: modify replace: sslVersionMin sslVersionMin: TLS1.1 - replace: sslVersionMax sslVersionMax: TLS1.2
- Restart the Directory Server instance:
# systemctl restart dirsrv@instance_name
9.6.1. Automatically Using the Strongest Protocol in the sslVersionMax Parameter
If the
sslVersionMax parameter is not set, which is the default, Directory Server uses the strongest supported encryption protocol version for this parameter. This enables you to always have the strongest protocol version enabled after an update.
Identifying if sslVersionMax is Not Set
Even if
sslVersionMax is not set, the parameter is returned in a search. To identify if the parameter is not set:
# grep sslVersionMax /etc/dirsrv/slapd-instance_name/dse.ldif
If the command displays no output, the parameter is not set and uses the default, which is the strongest supported encryption protocol.
Removing the sslVersionMax Parameter
Remove the
sslVersionMax parameter to use its default setting:
- Remove the
sslVersionMaxparameter:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=encryption,cn=config changetype: modify delete: sslVersionMax
- Restart the Directory Server instance:
# systemctl restart dirsrv@instance_name