CA LDAP port identified as vulnerable, Force LDAP Server to only Accept TLS 1.2

book

Article ID: 74948

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction



A vulnerability test was recently performed and the port being used for CA LDAP was identified as being vulnerable for using an early version of TLS.  Is there a way to force CA LDAP to use TLS 1.2 or the latest version?

Environment

Release:
Component: ACFLDP

Resolution

The SLAPD.CONF Global option TLSProtocolMin (optional) specifies the minimum SSL/TLS protocol version that the server will allow to be negotiated. For example, if the TLS_PROTOCOL_MIN configuration option specifies “tls1.2” and the client supports only TLS 1.1, the client is not allowed to connect to the CA LDAP Server. For example to configure LDAP for TLS 1.2.Use SLAPD.CONF parm:

TLSProtocolMin tls1.2
 
What ever level you enter in SLAPD will get used.  If you want SSL3 used, then use:
 
TLSProtocolMin ssl3

Additional Information

See section: "Customize the Slapd Configuration File" for "TLSProtocolMin" for details.