From b23bef0fb66646de2d64c92b4dc49b1a587e12ae Mon Sep 17 00:00:00 2001
From: Robert Kaussow <xoxys@rknet.org>
Date: Tue, 4 Jun 2024 21:12:36 +0200
Subject: [PATCH] fix: enable ECDHE ciphers and enforce TLS 1.2 (#2)

Reviewed-on: https://gitea.rknet.org/ansible/xoxys.ldap_proxy/pulls/2
---
 templates/etc/openldap/slapd.conf.j2 | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/templates/etc/openldap/slapd.conf.j2 b/templates/etc/openldap/slapd.conf.j2
index fe39ca6..ecb00ef 100644
--- a/templates/etc/openldap/slapd.conf.j2
+++ b/templates/etc/openldap/slapd.conf.j2
@@ -31,8 +31,9 @@ argsfile                /var/run/openldap/slapd.args
 TLSCertificateFile      {{ ldap_proxy_tls_cert_path }}
 TLSCertificateKeyFile   {{ ldap_proxy_tls_key_path }}
 TLSCACertificateFile    {{ ldap_proxy_tls_ca_path }}
-TLSCipherSuite          HIGH:MEDIUM:!aNULL:!MD5:!RC4
-TLSProtocolMin          3.1
+TLSCipherSuite          HIGH:MEDIUM:-SSLv2:-SSLv3:!SHA1:!SHA256:!SHA384
+TLSProtocolMin          3.3
+TLSECName               secp521r1
 
 ### Database definition (Proxy to AD) #########################################
 database                ldap