Menu Close
Settings Close

Language and Page Formatting Options

Chapter 2. Configuring the supported TLS protocol versions

In Red Hat Enterprise Linux 9, all system-wide crypto policy profiles define TLS 1.2 as the minimum. Therefore, this TLS version is also the minimum in Directory Server. However, if you only have clients which support a newer TLS version, you can set a higher protocol version as minimum to increase the security.

2.1. Setting the minimum and maximum TLS protocol versions using the command line

You can set both the minimum and maximum TLS protocol using the command line.

Warning

Do not set a maximum TLS protocol. If you do so, your clients might have to use a weaker TLS protocol than their default standard. If you do not set a maximum TLS version, Directory Server always uses the strongest version that is supported.

Prerequisites

  • You enabled TLS encryption in Directory Server.

Procedure

  1. Optional: Display the TLS protocols that are currently enabled in Directory Server:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security get | egrep -i "sslVersionMin|sslVersionMax"
    sslversionmin: TLS1.2
    sslversionmax: TLS1.3
  2. Set the minimum TLS protocol. For example, to set it to TLS 1.3, enter:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security set --tls-protocol-min="TLS1.3"

    Note that you cannot set the parameter to a value lower than TLS 1.2, which is the minimum of all RHEL system-wide crypto policy profiles.

  3. Not recommended: Set the highest supported TLS protocol:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security set --tls-protocol-max="TLS1.3"

    If you set --tls-protocol-max to a value lower than in --tls-protocol-min, then Directory Server sets the maximum protocol to the same value as the minimum.

    To always use the strongest supported encryption protocol as the maximum supported TLS version, do not set --tls-protocol-max.

  4. Restart the instance:

    # dsctl instance_name restart

Verification

  1. Display the supported TLS protocols:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security get | egrep -i "sslVersionMin|sslVersionMax"
    sslversionmin: TLS1.3
    sslversionmax: TLS1.3
  2. Use the openssl utility to establish a secure client connection using a specific TLS protocol:

    # echo | openssl s_client -connect server.example.com:636 -tls1_3
    ...
    New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
    ...

2.2. Setting the minimum and maximum TLS protocol versions using the web console

You can set both the minimum and maximum TLS protocol using the web console

Warning

Do not set a maximum TLS protocol. If you do so, your clients might have to use a weaker TLS protocol than their default standard. If you do not set a maximum TLS version, Directory Server always uses the strongest version that is supported.

Prerequisites

  • You enabled TLS encryption in Directory Server.
  • You are logged in to the Directory Server instance in the web console.

Procedure

  1. Navigate to ServerSecurity.
  2. Set the minimum TLS protocol in the Minimum TLS Version field.
  3. Not recommended: Set the highest supported TLS protocol in the Maximum TLS Version field.
  4. Click Save Settings.
  5. Click Actions in the top right corner, and select Restart Instance.

Verification

  • Use the openssl utility to establish a secure client connection using a specific TLS protocol:

    # echo | openssl s_client -connect server.example.com:636 -tls1_3
    ...
    New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
    ...