diff --git a/internal/crypto/ptls/default.go b/internal/crypto/ptls/default.go
index dee676e8..d929a4eb 100644
--- a/internal/crypto/ptls/default.go
+++ b/internal/crypto/ptls/default.go
@@ -57,3 +57,17 @@ func Default(rootCAs *x509.CertPool) *tls.Config {
 		RootCAs: rootCAs,
 	}
 }
+
+func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
+	c := Default(rootCAs)
+	// add less secure ciphers to support the default AWS Active Directory config
+	c.CipherSuites = append(c.CipherSuites,
+		// CBC with ECDHE
+		// this provides forward secrecy and confidentiality of data but not authenticity
+		// MAC-then-Encrypt CBC ciphers are susceptible to padding oracle attacks
+		// See https://crypto.stackexchange.com/a/205 and https://crypto.stackexchange.com/a/224
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	)
+	return c
+}
diff --git a/internal/crypto/ptls/fips_strict.go b/internal/crypto/ptls/fips_strict.go
index 00e87b60..8fc3c10a 100644
--- a/internal/crypto/ptls/fips_strict.go
+++ b/internal/crypto/ptls/fips_strict.go
@@ -53,3 +53,8 @@ func Default(rootCAs *x509.CertPool) *tls.Config {
 		RootCAs: rootCAs,
 	}
 }
+
+func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
+	c := Default(rootCAs)
+	return c
+}
diff --git a/internal/crypto/ptls/ptls.go b/internal/crypto/ptls/ptls.go
index ef4e7d9f..3c1f9615 100644
--- a/internal/crypto/ptls/ptls.go
+++ b/internal/crypto/ptls/ptls.go
@@ -28,20 +28,6 @@ const defaultServingOptionsMinTLSVersion = "VersionTLS12"
 
 type ConfigFunc func(*x509.CertPool) *tls.Config
 
-func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
-	c := Default(rootCAs)
-	// add less secure ciphers to support the default AWS Active Directory config
-	c.CipherSuites = append(c.CipherSuites,
-		// CBC with ECDHE
-		// this provides forward secrecy and confidentiality of data but not authenticity
-		// MAC-then-Encrypt CBC ciphers are susceptible to padding oracle attacks
-		// See https://crypto.stackexchange.com/a/205 and https://crypto.stackexchange.com/a/224
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	)
-	return c
-}
-
 func Legacy(rootCAs *x509.CertPool) *tls.Config {
 	c := Default(rootCAs)
 	// add all the ciphers (even the crappy ones) except the ones that Go considers to be outright broken like 3DES