From 820b4580373dde4c56b70429232c5ea7914c318c Mon Sep 17 00:00:00 2001
From: Jonathan DeMasi <me@jthan.io>
Date: Fri, 23 Jan 2026 19:32:09 -0700
Subject: [PATCH] bump tls version, enforce strong ciphers

---
 ansible/roles/openldap_server/tasks/tls.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ansible/roles/openldap_server/tasks/tls.yaml b/ansible/roles/openldap_server/tasks/tls.yaml
index 1e69df6..30f89a2 100644
--- a/ansible/roles/openldap_server/tasks/tls.yaml
+++ b/ansible/roles/openldap_server/tasks/tls.yaml
@@ -5,6 +5,8 @@
     attributes:
       olcTLSCertificateFile: "{{ ldap_cert_path }}"
       olcTLSCertificateKeyFile: "{{ ldap_key_path }}"
+      olcTLSProtocolMin: "3.3"    # TLS 1.2+
+      olcTLSCipherSuite: HIGH:!aNULL:!MD5
   args:
     server_uri: ldapi:///
     sasl_mech: EXTERNAL