[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Perfect Forward Secrecy

To: Michael Ströder <michael@stroeder.com>
Subject: Re: Perfect Forward Secrecy
From: Philip Guenther <guenther+ldaptech@sendmail.com>
Date: Fri, 6 Sep 2013 15:13:10 -0700
Cc: Dieter Klünter <dieter@dkluenter.de>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=tls.dkim; t=1378505593; bh=1SjzlxKpzKRAXAJlnLygoiCPLMMnA2aQLKjvuUCVoIw=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type:Content-Transfer-Encoding; b=FUHpnHgZpdjCX1j8im0mdHkVzRvlcf6/wih76B5updXiU0mRuhtgt+nw64nzr0quT px2UUuRccDAg3wVyInCIjcYhZj8+UD7XQ7E8MDbmf9TDnulaQOqvJE9nI19gBbrTIV /fBbU653eRx6LZPa7iB8DkqSfsd1t4kZ0Rw89UuE=
In-reply-to: <522A3DA3.6020802@stroeder.com>
References: <20130906190606.19563ea6@pink.avci.de> <522A3DA3.6020802@stroeder.com>
User-agent: Alpine 2.03 (BSO 1266 2009-07-14)

On Fri, 6 Sep 2013, Michael Ströder wrote:
> Dieter Klünter wrote:
> > I wonder whether openldap, if compiled with openssl-1.x, will support
> > PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy
> > This issue has been discussed on several mailinglists recently.
> 
> Hmm...
> 
> Tests on my local system (with OpenSSL 1.0.1e shipped with distribution) using
> sslscan with no cipher configuration directives in the server configurations
> (only listing the "Accepted").
...
> Any reason why the *DHE* ciphers seems not to be supported during OpenLDAP
> scan which they are with Apache on the very same system?

Because you have to set the TLSDHParamFile / olcTLSDHParamFile config 
option.

If that file doesn't contain DH parameters for the requested key length, 
then slapd/libldap will use compiled in parameters for 512/1024/2048/4096 
lengths or generate parameters on the fly, so you can just use /dev/null 
as the 'file' for the option.

Once you add that, slapd will negotiate DHE cipher suites.

Philip Guenther

Follow-Ups:
- Re: Perfect Forward Secrecy
  - From: Michael Ströder <michael@stroeder.com>

References:
- Perfect Forward Secrecy
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: Perfect Forward Secrecy
  - From: Michael StrÃder <michael@stroeder.com>

Prev by Date: Re: Antw: Re: Log service time?
Next by Date: RE: Antw: Re: Log service time?
Index(es):
- Chronological
- Thread