[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Perfect Forward Secrecy

To: Dieter KlÃnter <dieter@dkluenter.de>, openldap-technical@openldap.org
Subject: Re: Perfect Forward Secrecy
From: Michael StrÃder <michael@stroeder.com>
Date: Fri, 06 Sep 2013 22:40:03 +0200
In-reply-to: <20130906190606.19563ea6@pink.avci.de>
References: <20130906190606.19563ea6@pink.avci.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 SeaMonkey/2.20

Dieter KlÃnter wrote:
> I wonder whether openldap, if compiled with openssl-1.x, will support
> PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy
> This issue has been discussed on several mailinglists recently.

Hmm...

Tests on my local system (with OpenSSL 1.0.1e shipped with distribution) using
sslscan with no cipher configuration directives in the server configurations
(only listing the "Accepted").

OpenLDAP RE24 build:

  Supported Server Cipher(s):
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  SEED-SHA
    Accepted  TLSv1  128 bits  CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  56 bits   DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1  40 bits   EXP-RC4-MD5
    Accepted  TLSv1.1  256 bits  AES256-SHA
    Accepted  TLSv1.1  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1.1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1.1  128 bits  AES128-SHA
    Accepted  TLSv1.1  128 bits  SEED-SHA
    Accepted  TLSv1.1  128 bits  CAMELLIA128-SHA
    Accepted  TLSv1.1  128 bits  RC4-SHA
    Accepted  TLSv1.1  128 bits  RC4-MD5
    Accepted  TLSv1.1  56 bits   DES-CBC-SHA
    Accepted  TLSv1.1  40 bits   EXP-DES-CBC-SHA
    Accepted  TLSv1.1  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1.1  40 bits   EXP-RC4-MD5
    Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
    Accepted  TLSv1.2  256 bits  AES256-SHA256
    Accepted  TLSv1.2  256 bits  AES256-SHA
    Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1.2  168 bits  DES-CBC3-SHA
    Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
    Accepted  TLSv1.2  128 bits  AES128-SHA256
    Accepted  TLSv1.2  128 bits  AES128-SHA
    Accepted  TLSv1.2  128 bits  SEED-SHA
    Accepted  TLSv1.2  128 bits  CAMELLIA128-SHA
    Accepted  TLSv1.2  128 bits  RC4-SHA
    Accepted  TLSv1.2  128 bits  RC4-MD5
    Accepted  TLSv1.2  56 bits   DES-CBC-SHA
    Accepted  TLSv1.2  40 bits   EXP-DES-CBC-SHA
    Accepted  TLSv1.2  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1.2  40 bits   EXP-RC4-MD5

Apache web server:

  Supported Server Cipher(s):
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-SEED-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  SEED-SHA
    Accepted  TLSv1  128 bits  CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  56 bits   DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1  40 bits   EXP-RC4-MD5
    Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1.1  256 bits  DHE-RSA-CAMELLIA256-SHA
    Accepted  TLSv1.1  256 bits  AES256-SHA
    Accepted  TLSv1.1  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1.1  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1.1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1.1  128 bits  DHE-RSA-SEED-SHA
    Accepted  TLSv1.1  128 bits  DHE-RSA-CAMELLIA128-SHA
    Accepted  TLSv1.1  128 bits  AES128-SHA
    Accepted  TLSv1.1  128 bits  SEED-SHA
    Accepted  TLSv1.1  128 bits  CAMELLIA128-SHA
    Accepted  TLSv1.1  128 bits  RC4-SHA
    Accepted  TLSv1.1  128 bits  RC4-MD5
    Accepted  TLSv1.1  56 bits   EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1.1  56 bits   DES-CBC-SHA
    Accepted  TLSv1.1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1.1  40 bits   EXP-DES-CBC-SHA
    Accepted  TLSv1.1  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1.1  40 bits   EXP-RC4-MD5
    Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384
    Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256
    Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA
    Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
    Accepted  TLSv1.2  256 bits  AES256-SHA256
    Accepted  TLSv1.2  256 bits  AES256-SHA
    Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1.2  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1.2  168 bits  DES-CBC3-SHA
    Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256
    Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256
    Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1.2  128 bits  DHE-RSA-SEED-SHA
    Accepted  TLSv1.2  128 bits  DHE-RSA-CAMELLIA128-SHA
    Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
    Accepted  TLSv1.2  128 bits  AES128-SHA256
    Accepted  TLSv1.2  128 bits  AES128-SHA
    Accepted  TLSv1.2  128 bits  SEED-SHA
    Accepted  TLSv1.2  128 bits  CAMELLIA128-SHA
    Accepted  TLSv1.2  128 bits  RC4-SHA
    Accepted  TLSv1.2  128 bits  RC4-MD5
    Accepted  TLSv1.2  56 bits   EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1.2  56 bits   DES-CBC-SHA
    Accepted  TLSv1.2  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1.2  40 bits   EXP-DES-CBC-SHA
    Accepted  TLSv1.2  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1.2  40 bits   EXP-RC4-MD5

Any reason why the *DHE* ciphers seems not to be supported during OpenLDAP
scan which they are with Apache on the very same system?

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: Perfect Forward Secrecy
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>

References:
- Perfect Forward Secrecy
  - From: Dieter KlÃnter <dieter@dkluenter.de>

Prev by Date: Re: Perfect Forward Secrecy
Next by Date: RE: Antw: Re: Log service time?
Index(es):
- Chronological
- Thread