[Date Prev][Date Next]
Re: ITS#4354 syncrepl over sasl external tls fails
> This looks like an unforeseen side-effect of the ITS#4017 fix that went
> into 2.3.12. Now that we support the Diffie-Hellman handshakes, you will
> get the Anonymous Diffie-Hellman (ADH) exchanges when you enable HIGH in
> your cipher suites. In ADH no certificates are exchanged, so any attempt
> to use them (e.g., SASL EXTERNAL) will fail. You need to add "!ADH" to
> your cipher suite specification to prevent this problem from occurring.
This is now fixed in CVS HEAD, we now will not enable Diffie-Hellman key
exchanges unless the DH parameter file is explicitly configured.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/