%SERVER_PRECEDENCE does fix the "server cipher order" => good
However %FALLBACK_SCSV fails to fix "TLS_FALLBACK_SCSV (RFC 7507)" which now says "some unexpected "handshake failure" instead of "inappropriate fallback" (likely NOT ok)"
Moreover, %SAFE_RENEGOTIATION fails to fix "Secure Client-Initiated Renegotiation", it still says VULNERABLE (NOT ok), DoS threat. Or maybe, there's a different setting needed for that?
Oops, I was just missing the -H ldapi:/// along with the -Y EXTERNAL
Now the following works (well, with slapd, not with the textarea on this site, WTF? :-( ):
ldapmodify -Y EXTERNAL -H ldapi:/// <<'EOF' -VERS-SSL3. 0:-3DES- CBC:-ARCFOUR- 128:%SERVER_ PRECEDENCE: %SAFE_RENEGOTIA TION:%FALLBACK_ SCSV
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: SECURE:
EOF
%SERVER_PRECEDENCE does fix the "server cipher order" => good
However %FALLBACK_SCSV fails to fix "TLS_FALLBACK_SCSV (RFC 7507)" which now says "some unexpected "handshake failure" instead of "inappropriate fallback" (likely NOT ok)"
Moreover, %SAFE_RENEGOTIATION fails to fix "Secure Client-Initiated Renegotiation", it still says VULNERABLE (NOT ok), DoS threat. Or maybe, there's a different setting needed for that?