Per CVE-2014-3566 we need to disallow SSLv3 and TLS1.0. The latest version of TLS suites supplied by openssl1.0.1e is TLS1.2. Recent-ish updates to openldap-servers (shipped with SIMP-6) theoretically allow users to set a minimum TLS protocol version in slapd.conf, per https://access.redhat.com/solutions/1234843:
I have tested and verified this solution works with openldap-servers-2.4.40-13.el7, distributed with 1611. I have NOT verified this solution in el6.
Once verified, we should puppetize a minimum bound based on the version of openldap-servers and re-define the cipher suite to eliminate TLS1.0, SSLv3.
Good news! SIMP-6.0.0-0/CentOS6.8 shipped with openldap-servers 2.4.40-12, which allows us to set a minimum TLS protocol and pin to TLS 1.2. Pressing forward with puppet changes.