[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7595) OpenLDAP lacks a ECDHE key generation callback

To: openldap-its@OpenLDAP.org
Subject: (ITS#7595) OpenLDAP lacks a ECDHE key generation callback
From: crest@tzi.de
Date: Tue, 21 May 2013 01:20:03 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Jan Bramkamp
Version: 2.4.35
OS: FreeBSD 9.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (79.230.127.217)


OpenLDAP supports PFS TLS cipher suites using DHE with the
DH *tlso_tmp_dh_cb(SSL*,int,int) callback in libraries/libldap/tls_o.c.
DHE-RSA/DSS cipher suites are very CPU intensive and noticeably increase latency
on low-power hardware. While OpenLDAP supports ECDH-ECDSA cipher suites these
lack the PFS offered by DHE-RSA/DSS cipher suites.

>From my initial search it looks like the correct API to register such a callback
would be SSL_CTX_set_tmp_ecdh_callback(), but im not familiar the OpenLDAP code
base so patching it my self could have unintended consequences.

This how the CA was generated:
    CURVE=secp384r1

    openssl ecparam -out private/ca-key.pem -name $CURVE -genkey &&
    openssl req -new -x509 -days 365 -key private/ca-key.pem -out
certs/ca-cert.pem

    openssl ecparam -out private/auth1-key.pem -name $CURVE -genkey &&
    openssl req -new -key private/auth1-key.pem -out newcerts/auth1-csr.pem &&
    openssl ca -config /usr/local/openssl/openssl.cnf -out certs/auth1-cert.pem
-infiles newcerts/auth1-csr.pem

The (EC)DH paramter file was generated with:
    openssl ecparam -name $CURVE

This was tested with slapd linked against OpenSSL 1.0.1e from ports on FreeBSD
9.1/amd64.

Prev by Date: Re: (ITS#7591) back-meta modify operation not sending result to client
Next by Date: RE: (ITS#7591) back-meta modify operation not sending result to client
Index(es):
- Chronological
- Thread