TLS requirements for LDAP servers#

This document describes the requirements for the SSL/TLS configuration of LDAP servers connected to Feide

TLS protocol version#

Feide requires LDAP servers to support TLS version 1.2.

Note: On Windows Server 2008 R2, TLS version 1.2 must be enabled. See Protocols in TLS/SSL (Schannel SSP) for details.

TLS 1.1, TLS 1.0, SSL version 3.0 and older is not supported by Feide.

TLS cipher suites#

Feide requires LDAP servers to support at least one of the following cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)





  • TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

  • TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)


Feide requires LDAP servers to be configured with a certificate issued from a public certificate provider.

The Mozilla CA-bundle can be used as a reference for the list of supported root certificates in Feide.

Testing compatibility#

The LDAP connection test tool can be used to test the LDAP server against these requirements.