[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PFS Ciphers

To: Emmanuel Dreyfus <manu@netbsd.org>, openldap-technical@openldap.org
Subject: Re: PFS Ciphers
From: Howard Chu <hyc@symas.com>
Date: Wed, 18 Sep 2013 23:19:27 -0700
In-reply-to: <1l9fph2.1oizjofyp5zvmM%manu@netbsd.org>
References: <1l9fph2.1oizjofyp5zvmM%manu@netbsd.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 SeaMonkey/2.22a1

Emmanuel Dreyfus wrote:

Hi

I tried to use ciphers that bring PFS for OpenLDAP, but it did not work.
I used this cipher specification:

TLSCipherSuite ECDH:DH:!SHA:!MD5:!aNULL:!eNULL

I test it this way:
for i in `openssl ciphers ALL|tr ':' '\n'` ; do
         echo ''|openssl s_client -cipher $i -connect server:636 \
              2>/dev/null |awk  '/  Cipher/{print }' ;
done

I get nothing. I understand ECDH needs some support code, but why aren't
DH ciphers available?

Read the slapd.conf(5) or slapd-config(5) manpage. You must configure theTLSDHParamFile.


Your ciphersuite is wrong anyway. You want DHE, not DH, for PFS.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: PFS Ciphers
  - From: Emmanuel Dreyfus <manu@netbsd.org>

References:
- PFS Ciphers
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: PFS Ciphers
Next by Date: Re: PFS Ciphers
Index(es):
- Chronological
- Thread