[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7595) OpenLDAP lacks a ECDHE key generation callback
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7595) OpenLDAP lacks a ECDHE key generation callback
- From: hyc@symas.com
- Date: Wed, 22 May 2013 16:21:00 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
crest@tzi.de wrote:
> Full_Name: Jan Bramkamp
> Version: 2.4.35
> OS: FreeBSD 9.1
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (79.230.127.217)
>
>
> OpenLDAP supports PFS TLS cipher suites using DHE with the
> DH *tlso_tmp_dh_cb(SSL*,int,int) callback in libraries/libldap/tls_o.c.
> DHE-RSA/DSS cipher suites are very CPU intensive and noticeably increase latency
> on low-power hardware. While OpenLDAP supports ECDH-ECDSA cipher suites these
> lack the PFS offered by DHE-RSA/DSS cipher suites.
>
>>From my initial search it looks like the correct API to register such a callback
> would be SSL_CTX_set_tmp_ecdh_callback(), but im not familiar the OpenLDAP code
> base so patching it my self could have unintended consequences.
>
> This how the CA was generated:
> CURVE=secp384r1
>
> openssl ecparam -out private/ca-key.pem -name $CURVE -genkey &&
> openssl req -new -x509 -days 365 -key private/ca-key.pem -out
> certs/ca-cert.pem
>
> openssl ecparam -out private/auth1-key.pem -name $CURVE -genkey &&
> openssl req -new -key private/auth1-key.pem -out newcerts/auth1-csr.pem &&
> openssl ca -config /usr/local/openssl/openssl.cnf -out certs/auth1-cert.pem
> -infiles newcerts/auth1-csr.pem
>
> The (EC)DH paramter file was generated with:
> openssl ecparam -name $CURVE
>
> This was tested with slapd linked against OpenSSL 1.0.1e from ports on FreeBSD
> 9.1/amd64.
>
>
Some background info in this thread
http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/