[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Perfect Forward Secrecy

To: Howard Chu <hyc@symas.com>, openldap-technical@openldap.org
Subject: Re: Perfect Forward Secrecy
From: Michael StrÃder <michael@stroeder.com>
Date: Fri, 06 Sep 2013 23:45:41 +0200
In-reply-to: <522A35E1.3070606@symas.com>
References: <20130906190606.19563ea6@pink.avci.de> <522A35E1.3070606@symas.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 SeaMonkey/2.20

Howard Chu wrote:
> Dieter KlÃnter wrote:
>> Hi,
>> I wonder whether openldap, if compiled with openssl-1.x, will support
>> PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy
>> This issue has been discussed on several mailinglists recently.
> 
> It already does, but you have to use the right cipher suites.
> 
> Also see ITS #7595 http://www.openldap.org/its/index.cgi/Incoming?id=7595

Please correct if I'm wrong. But this ITS seems to be about using the cipher
suites based on elliptic curves with EC server key/cert.

But what about just the DHE-RSA cipher suites like DHE-RSA-AES256-SHA for
TLSv1 with RSA-based server key/cert?

Why does Apache support this out-of-the-box and OpenLDAP 2.4.36 does not?
Do I have to configure something else?

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: Perfect Forward Secrecy
  - From: Howard Chu <hyc@symas.com>

References:
- Perfect Forward Secrecy
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: Perfect Forward Secrecy
  - From: Howard Chu <hyc@symas.com>

Prev by Date: RE: Antw: Re: Log service time?
Next by Date: Re: Antw: Re: Log service time?
Index(es):
- Chronological
- Thread