Commit fbeee4d2 authored by Howard Chu's avatar Howard Chu
Browse files

ITS#7645, #5655 TLSProtocolMin docs

parent 0f4b5bdd
......@@ -413,7 +413,11 @@ If the server doesn't support at least that version,
the SSL handshake will fail.
To require TLS 1.x or higher, set this option to 3.(x+1),
e.g.,
.B TLS_PROTOCOL_MIN 3.2
.nf
TLS_PROTOCOL_MIN 3.2
.fi
would require TLS 1.1.
Specifying a minimum that is higher than that supported by the
OpenLDAP implementation will result in it requiring the
......
......@@ -928,6 +928,23 @@ from the default, otherwise no certificate exchanges or verification will
be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
.B olcTLSProtocolMin: <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
the SSL handshake will fail.
To require TLS 1.x or higher, set this option to 3.(x+1),
e.g.,
.nf
olcTLSProtocolMin: 3.2
.fi
would require TLS 1.1.
Specifying a minimum that is higher than that supported by the
OpenLDAP implementation will result in it requiring the
highest level that it does support.
This directive is ignored with GnuTLS.
.TP
.B olcTLSRandFile: <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
......
......@@ -1159,6 +1159,23 @@ from the default, otherwise no certificate exchanges or verification will
be done. When using GnuTLS these parameters are always generated randomly so
this directive is ignored. This directive is ignored when using Mozilla NSS.
.TP
.B TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
the SSL handshake will fail.
To require TLS 1.x or higher, set this option to 3.(x+1),
e.g.,
.nf
TLSProtocolMin 3.2
.fi
would require TLS 1.1.
Specifying a minimum that is higher than that supported by the
OpenLDAP implementation will result in it requiring the
highest level that it does support.
This directive is ignored with GnuTLS.
.TP
.B TLSRandFile <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment