Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Configuring the supported TLS protocol versions

In Red Hat Enterprise Linux 9, all system-wide crypto policy profiles define TLS 1.2 as the minimum. Therefore, this TLS version is also the minimum in Directory Server. However, if you only have clients which support a newer TLS version, you can set a higher protocol version as minimum to increase the security.

You can set both the minimum and maximum TLS protocol using the command line.

Warning

Do not set a maximum TLS protocol. If you do so, your clients might have to use a weaker TLS protocol than their default standard. If you do not set a maximum TLS version, Directory Server always uses the strongest version that is supported.

Prerequisites

  • You enabled TLS encryption in Directory Server.

Procedure

  1. Optional: Display the TLS protocols that are currently enabled in Directory Server: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security get | egrep -i "sslVersionMin|sslVersionMax"
sslversionmin: TLS1.2
sslversionmax: TLS1.3

  2. Set the minimum TLS protocol. For example, to set it to TLS 1.3, enter: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security set --tls-protocol-min="TLS1.3"

    Note that you cannot set the parameter to a value lower than TLS 1.2, which is the minimum of all RHEL system-wide crypto policy profiles.

  3. Not recommended: Set the highest supported TLS protocol: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security set --tls-protocol-max="TLS1.3"

    If you set --tls-protocol-max to a value lower than in --tls-protocol-min, then Directory Server sets the maximum protocol to the same value as the minimum.

    To always use the strongest supported encryption protocol as the maximum supported TLS version, do not set --tls-protocol-max.

  4. Restart the instance: 

    # dsctl instance_name restart

Verification

  1. Display the supported TLS protocols: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security get | egrep -i "sslVersionMin|sslVersionMax"
sslversionmin: TLS1.3
sslversionmax: TLS1.3

  2. Use the openssl utility to establish a secure client connection using a specific TLS protocol: 

    # echo | openssl s_client -connect server.example.com:636 -tls1_3
...
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
...

You can set both the minimum and maximum TLS protocol using the web console

Warning

Do not set a maximum TLS protocol. If you do so, your clients might have to use a weaker TLS protocol than their default standard. If you do not set a maximum TLS version, Directory Server always uses the strongest version that is supported.

Prerequisites

  • You enabled TLS encryption in Directory Server.
  • You are logged in to the Directory Server instance in the web console.

Procedure

  1. Navigate to Server Security.
  2. Set the minimum TLS protocol in the Minimum TLS Version field.
  3. Not recommended: Set the highest supported TLS protocol in the Maximum TLS Version field.
  4. Click Save Settings.
  5. Click Actions in the top right corner, and select Restart Instance.

Verification

  • Use the openssl utility to establish a secure client connection using a specific TLS protocol: 

    # echo | openssl s_client -connect server.example.com:636 -tls1_3
...
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
...
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top