I have a home network that contains a mixture of devices, some of which that receive a...
Due to the SSL POODLE vulnerability, it is best to remove support for the outdated SSLv3 protocol. As OpenLDAP with GnuTLS is a beast of its own, here’s the quick change to remove SSLv3 support:
cat > nossl.ldif <<EOF dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: SECURE256:-VERS-SSL3.0 EOF ldapmodify -Y EXTERNAL -H ldapi:/// -f nossl.ldif
And we’re done! Obviously, if you already have
olcTLSCipgerSuite, then use “replace” instead of “add”.
A quick test:
~# gnutls-cli-debug -p 636 127.0.0.1 Resolving '127.0.0.1'... Connecting to '127.0.0.1:636'... Checking for SSL 3.0 support... no Checking whether %COMPAT is required... no Checking for TLS 1.0 support... yes Checking for TLS 1.1 support... yes Checking fallback from TLS 1.1 to... N/A Checking for TLS 1.2 support... yes