Comment 3 for bug 1591681

Oops, I was just missing the -H ldapi:/// along with the -Y EXTERNAL

Now the following works (well, with slapd, not with the textarea on this site, WTF? :-( ):

ldapmodify -Y EXTERNAL -H ldapi:/// <<'EOF'
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: SECURE:-VERS-SSL3.0:-3DES-CBC:-ARCFOUR-128:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION:%FALLBACK_SCSV
EOF

%SERVER_PRECEDENCE does fix the "server cipher order" => good

However %FALLBACK_SCSV fails to fix "TLS_FALLBACK_SCSV (RFC 7507)" which now says "some unexpected "handshake failure" instead of "inappropriate fallback" (likely NOT ok)"

Moreover, %SAFE_RENEGOTIATION fails to fix "Secure Client-Initiated Renegotiation", it still says VULNERABLE (NOT ok), DoS threat. Or maybe, there's a different setting needed for that?