When running a Policy Server, how could the usage of TLSv1.2 be enforced when the connection to the backend LDAP Policy or User Stores?

How to enable SSL to debug logs too when connecting to this LDAP Directory?

In an SSL handshake, the version of SSL is chosen by the server.

In the case of the Policy Server connecting to the LDAP User Store, the LDAP User Store is the server and Policy Server is the client.

So, the Policy Server will tell the LDAP User Store which versions of TLS it can handle, in the case of version 12.8SP3 for instance, TLSv1.0, TLSv1.1, and TLSv1.2.

Then the LDAP User Directory will select the version and send the certificate (1).

To see which protocol is supported by the LDAP version, run the openssl command:

# openssl s_client -tls1_2 -connect <HOST2>:<SSL_PORT2>
CONNECTED(00000003)

Running network traces on the Policy Server will help. The TLS packets exchanged between the Policy Server and the LDAP User Directory will show the version of TLS.

1. What Happens in a TLS Handshake? | SSL Handshake