If you don't want to allow connections to your OpenLDAP below TLS 1.2, here is how to do it.
First you should run
openssl dhparam -out /etc/ldap/certs/slapd.dh.params 2048
to generate a DHParam file and set it's path in olcTLSDHParamFile
Then set olcTLSCipherSuite to SECURE256
to allow only TLS 1.2 ciphers. You can explicitly deny TLS1.0 and 1.1 with SECURE256:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0
Notice that for the cipher suite we don't use HIGH, because that is an openssl cipher specification and OpenLDAP on Ubuntu uses gnutls.
To look at available GnuTLS cipher options install gnutls-cli and look at man gnutls-cli
, search for --priority flag. At the moment it allows PERFORMANCE, NORMAL, PFS, SECURE128, SECURE256 but this can change in the future. To look at available ciphers with SECURE256 option run:
# gnutls-cli --priority SECURE256 -l
Cipher suites for SECURE256
TLS_AES_256_GCM_SHA384 0x13, 0x02 TLS1.3
TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03 TLS1.3
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad TLS1.2
TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d TLS1.2
TLS_RSA_AES_256_CCM 0xc0, 0x9d TLS1.2
TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2
TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f TLS1.2
Protocols: VERS-TLS1.3, VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-DTLS1.2, VERS-DTLS1.0
Ciphers: AES-256-GCM, CHACHA20-POLY1305, AES-256-CBC, AES-256-CCM
MACs: AEAD
Key Exchange Algorithms: ECDHE-ECDSA, ECDHE-RSA, RSA, DHE-RSA
Groups: GROUP-SECP384R1, GROUP-SECP521R1, GROUP-FFDHE8192
PK-signatures: SIGN-RSA-SHA384, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-RSAE-SHA384, SIGN-ECDSA-SHA384, SIGN-ECDSA-SECP384R1-SHA384, SIGN-RSA-SHA512, SIGN-RSA-PSS-SHA512, SIGN-RSA-PSS-RSAE-SHA512, SIGN-ECDSA-SHA512, SIGN-ECDSA-SECP521R1-SHA512
If you only want to allow tls connections, set olcSecurity: tls=1