ldap_server: Drop TLS 1.2 support

2022-10-31 00:51:31 +00:00 · 2022-10-31 00:51:31 +00:00 · f17ae819fa
commit f17ae819fa
parent 84f8add38a
2 changed files with 2 additions and 6 deletions
--- a/roles/ldap_server/meta/main.yml
+++ b/roles/ldap_server/meta/main.yml
@ -1,7 +1,5 @@
 ---
-
 dependencies:
-  - {role: dhparams}
  - {role: kerberos}
  - {role: ldap}
  - {role: saslauthd}
--- a/roles/ldap_server/templates/slapd.conf.j2
+++ b/roles/ldap_server/templates/slapd.conf.j2
@ -45,11 +45,9 @@ moduleload constraint.la
 TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt
 TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key
 TLSCACertificatePath /etc/openldap/certs
-TLSDHParamFile {{ tls_certs }}/ffdhe3072.pem
-TLSVerifyClient try
+TLSVerifyClient allow
 TLSECName prime256v1
-TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-TLSProtocolMin 3.3
+TLSProtocolMin 3.4

 # force hostname to get kerberos working correctly behind proxies
 sasl-host ldap.foo.sh