From 2461e9a36ccb354fcb2de0854c3ce0e68cc72e63 Mon Sep 17 00:00:00 2001
From: downtownallday <downtownallday@gmail.com>
Date: Wed, 7 Sep 2022 16:17:22 -0400
Subject: [PATCH] tighten the cipher list

---
 setup/ldap.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/setup/ldap.sh b/setup/ldap.sh
index 78afe20f..29c67256 100755
--- a/setup/ldap.sh
+++ b/setup/ldap.sh
@@ -436,8 +436,10 @@ olcTLSCertificateKeyFile: $STORAGE_ROOT/ssl/ssl_private_key.pem
 replace: olcTLSDHParamFile
 olcTLSDHParamFile: $STORAGE_ROOT/ssl/dh2048.pem
 -
+# TLS ciphers. To see expanded corresponding cipher suites run:
+#   gnutls-cli --priority PFS:-VERS-TLS1.0:-VERS-TLS1.1 -l
 replace: olcTLSCipherSuite
-olcTLSCipherSuite: PFS
+olcTLSCipherSuite: PFS:-VERS-TLS1.0:-VERS-TLS1.1
 -
 replace: olcTLSVerifyClient
 olcTLSVerifyClient: never