Re: Antw: Re: Perfect Forward Secrecy

[Howard Chu <hyc@symas.com>]

Ulrich Windl wrote:
> > > > Michael StrÃder<michael@stroeder.com> schrieb am 06.09.2013 um 23:33 in
> Nachricht <522A4A3A.9060401@stroeder.com>:
> > Howard Chu wrote:
> > > Dieter KlÃnter wrote:
> > > > Hi,
> > > > I wonder whether openldap, if compiled with openssl-1.x, will support
> > > > PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy
> > > > This issue has been discussed on several mailinglists recently.
> > >
> > > It already does, but you have to use the right cipher suites.
> > >
> > > Also see ITS #7595 http://www.openldap.org/its/index.cgi/Incoming?id=7595
> >
> > http://www.openldap.org/doc/admin24/tls.html mentions directive
> > 'TLSEphemeralDHParamFile' whereas slapd.conf(5) mentions 'TLSDHParamFile'.
>
> Please let me note that 'TLSDHParamFile' is just a terrible identifier. How
> large is the fine for using underscores like in 'TLS_DH_ParamFile'? ;-)

You're about 8 years late to be making that suggestion.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/