From f17ae819fab5c059e7dc18a65e440707133f91fb Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Mon, 31 Oct 2022 00:51:31 +0000
Subject: [PATCH] ldap_server: Drop TLS 1.2 support

---
 roles/ldap_server/meta/main.yml           | 2 --
 roles/ldap_server/templates/slapd.conf.j2 | 6 ++----
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/roles/ldap_server/meta/main.yml b/roles/ldap_server/meta/main.yml
index d2e19c5..e59e67d 100644
--- a/roles/ldap_server/meta/main.yml
+++ b/roles/ldap_server/meta/main.yml
@@ -1,7 +1,5 @@
 ---
-
 dependencies:
-  - {role: dhparams}
   - {role: kerberos}
   - {role: ldap}
   - {role: saslauthd}
diff --git a/roles/ldap_server/templates/slapd.conf.j2 b/roles/ldap_server/templates/slapd.conf.j2
index 5e35eeb..cc08319 100644
--- a/roles/ldap_server/templates/slapd.conf.j2
+++ b/roles/ldap_server/templates/slapd.conf.j2
@@ -45,11 +45,9 @@ moduleload constraint.la
 TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt
 TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key
 TLSCACertificatePath /etc/openldap/certs
-TLSDHParamFile {{ tls_certs }}/ffdhe3072.pem
-TLSVerifyClient try
+TLSVerifyClient allow
 TLSECName prime256v1
-TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-TLSProtocolMin 3.3
+TLSProtocolMin 3.4
 
 # force hostname to get kerberos working correctly behind proxies
 sasl-host ldap.foo.sh