Chapter 2. Configuring the supported TLS protocol versions
In Red Hat Enterprise Linux 9, all system-wide crypto policy profiles define TLS 1.2 as the minimum. Therefore, this TLS version is also the minimum in Directory Server. However, if you only have clients which support a newer TLS version, you can set a higher protocol version as minimum to increase the security.
2.1. Setting the minimum and maximum TLS protocol versions using the command line
You can set both the minimum and maximum TLS protocol using the command line.
Do not set a maximum TLS protocol. If you do so, your clients might have to use a weaker TLS protocol than their default standard. If you do not set a maximum TLS version, Directory Server always uses the strongest version that is supported.
Prerequisites
- You enabled TLS encryption in Directory Server.
Procedure
Optional: Display the TLS protocols that are currently enabled in Directory Server:
# dsconf -D "cn=Directory Manager" ldap://server.example.com security get | egrep -i "sslVersionMin|sslVersionMax" sslversionmin: TLS1.2 sslversionmax: TLS1.3
Set the minimum TLS protocol. For example, to set it to TLS 1.3, enter:
# dsconf -D "cn=Directory Manager" ldap://server.example.com security set --tls-protocol-min="TLS1.3"
Note that you cannot set the parameter to a value lower than TLS 1.2, which is the minimum of all RHEL system-wide crypto policy profiles.
Not recommended: Set the highest supported TLS protocol:
# dsconf -D "cn=Directory Manager" ldap://server.example.com security set --tls-protocol-max="TLS1.3"
If you set
--tls-protocol-max
to a value lower than in--tls-protocol-min
, then Directory Server sets the maximum protocol to the same value as the minimum.To always use the strongest supported encryption protocol as the maximum supported TLS version, do not set
--tls-protocol-max
.Restart the instance:
# dsctl instance_name restart
Verification
Display the supported TLS protocols:
# dsconf -D "cn=Directory Manager" ldap://server.example.com security get | egrep -i "sslVersionMin|sslVersionMax" sslversionmin: TLS1.3 sslversionmax: TLS1.3
Use the
openssl
utility to establish a secure client connection using a specific TLS protocol:# echo | openssl s_client -connect server.example.com:636 -tls1_3 ... New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 ...
2.2. Setting the minimum and maximum TLS protocol versions using the web console
You can set both the minimum and maximum TLS protocol using the web console
Do not set a maximum TLS protocol. If you do so, your clients might have to use a weaker TLS protocol than their default standard. If you do not set a maximum TLS version, Directory Server always uses the strongest version that is supported.
Prerequisites
- You enabled TLS encryption in Directory Server.
- You are logged in to the Directory Server instance in the web console.
Procedure
- Navigate to Server → Security.
-
Set the minimum TLS protocol in the
Minimum TLS Version
field. -
Not recommended: Set the highest supported TLS protocol in the
Maximum TLS Version
field. - Click Save Settings.
-
Click Actions in the top right corner, and select
Restart Instance
.
Verification
Use the
openssl
utility to establish a secure client connection using a specific TLS protocol:# echo | openssl s_client -connect server.example.com:636 -tls1_3 ... New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 ...