Symantec Directory 14.1 SP6 ungraded the CAPKI from CAPKI5 to CAPKI6 which now supports ldaps with the minimal requirement of TLS 1.2. In addition, it requires the key length of 2048 and more.

Symantec Directory 14.1 SP6

As an example, even though the IBM Cognos LDAP Client is configured to use TLS 1.2 but continues to fail to establish ldaps connection with a Directory DSA. This was caused by the IBM Congos LDAP Client used "TLS_DHE_RSA_WIT_AES_128_GCM_SHA256 Cipher Suite with a Key Length of 1024". In this example, when the trace was set to full, messages like the following appeared in the trace log:

? [184] 20241213.133019.757 WARN : B80D0000:error:0A00018A:SSL routines:tls_construct_server_key_exchange:dh key too small:ssl/statem/statem_srvr.c:2483

To correctly resolve this issue, one will need to configure the LDAP Client to fulfill the two requirements, namely the TLS 1.2, key length of 2048, and a supported Cipher that works with Symantec Directory.

Or as a short-term workaround, one will need to locate the openssl_legacy.cnf under the CAPKI6 where it has the original content of

...
[tls_system_default]
CipherString = ALL:@SECLEVEL=2

Change the SECLEVEL=2 to SECLEVEL=1 as the following will then allow key length 1024 to work:

...
[tls_system_default]
CipherString = ALL:@SECLEVEL=1

After the modification, stop and re-start the DSA.

For a Linux Directory installation, the standard location for the openssl_legacy.cnf is under /opt/CA/SharedComponents/CAPKI/CAPKI6/Linux/amd64/64/lib/.

For a Windows Directory installation, the standard location is under C:\Program Files\CA\SC\CAPKI\CAPKI6\Windows\amd64\64\lib.

For more information about the CipherString SECLEVELs see the following openssl 3.0 documentation:

SSL_CTX_set_security_level