Philip Guenther wrote: > On Fri, 6 Sep 2013, Michael Ströder wrote: >> Dieter Klünter wrote: >>> I wonder whether openldap, if compiled with openssl-1.x, will support >>> PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy >>> This issue has been discussed on several mailinglists recently. >> >> Hmm... >> >> Tests on my local system (with OpenSSL 1.0.1e shipped with distribution) using >> sslscan with no cipher configuration directives in the server configurations >> (only listing the "Accepted"). > ... >> Any reason why the *DHE* ciphers seems not to be supported during OpenLDAP >> scan which they are with Apache on the very same system? > > Because you have to set the TLSDHParamFile / olcTLSDHParamFile config > option. > > If that file doesn't contain DH parameters for the requested key length, > then slapd/libldap will use compiled in parameters for 512/1024/2048/4096 > lengths or generate parameters on the fly, so you can just use /dev/null > as the 'file' for the option. > > Once you add that, slapd will negotiate DHE cipher suites. Oh yeah, TLSDHParamFile /dev/null did the trick. Thanks. And also invoking openssl dhparam -out /etc/openldap/ssl.key/dhparam 2048 and setting TLSDHParamFile /etc/openldap/ssl.key/dhparam Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature