[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Perfect Forward Secrecy

Michael StrÃder wrote:

Howard Chu wrote:

Dieter KlÃnter wrote:

Hi,
I wonder whether openldap, if compiled with openssl-1.x, will support
PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy
This issue has been discussed on several mailinglists recently.


It already does, but you have to use the right cipher suites.

Also see ITS #7595 http://www.openldap.org/its/index.cgi/Incoming?id=7595


Please correct if I'm wrong. But this ITS seems to be about using the cipher
suites based on elliptic curves with EC server key/cert.

But what about just the DHE-RSA cipher suites like DHE-RSA-AES256-SHA for
TLSv1 with RSA-based server key/cert?

Why does Apache support this out-of-the-box and OpenLDAP 2.4.36 does not?
Do I have to configure something else?
You have to configure TLSDHParamFile. This appears to be an oversight, while we have some default DH parameters hardcoded in libldap, none of them actually get used unless you've set the TLSDHParamFile directive. Also related to ITS#7506. 

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/