[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: how to tell client to use ssf=256 instead of ssf=128



Bonsoir,

2012/10/8 Tobias Hachmer <lists@kokelnet.de>:
> I'm using openldap 2.4.28 on ubuntu server and configured TLS.
> I want to allow write operations only when ssf=256 is used. (security
> update_ssf=256)

[...]
> 1. Why is the client connecting with ssf=128?

That's a result of ciphersuite negociation.

> 2. Can I influence the ssf used by client, if yes, how?

Just allow 256bits ciphersuites on the client or the server, or place
256bits ciphersuites first in the list.
Try adding this to your global ldap.conf or locap .ldaprc file:

TLS_CIPHER_SUITE AES256

or

TLS_CIPHER_SUITE SECURE256

Depending on the crypto library used (OpenSSL or GNUTLS).

> 3. Maybe a certificate issue?

No. You can do DES (56bits) or AES256 with the same certificate.

-- 
Erwann.