A vulnerability test was recently performed and the port being used for CA LDAP was identified as being vulnerable for using an early version of TLS. Is there a way to force CA LDAP to use TLS 1.2 or the latest version?
The SLAPD.CONF Global option TLSProtocolMin (optional) specifies the minimum SSL/TLS protocol version that the server will allow to be negotiated. For example, if the TLS_PROTOCOL_MIN configuration option specifies “tls1.2” and the client supports only TLS 1.1, the client is not allowed to connect to the CA LDAP Server. For example to configure LDAP for TLS 1.2.Use SLAPD.CONF parm:
TLSProtocolMin tls1.2
What ever level you enter in SLAPD will get used. If you want SSL3 used, then use:
TLSProtocolMin ssl3
See section: "Customize the Slapd Configuration File" for "TLSProtocolMin" for details.