[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: Perfect Forward Secrecy



Ulrich Windl wrote:
Michael StrÃder<michael@stroeder.com> schrieb am 06.09.2013 um 23:33 in
Nachricht <522A4A3A.9060401@stroeder.com>:
Howard Chu wrote:
Dieter KlÃnter wrote:
Hi,
I wonder whether openldap, if compiled with openssl-1.x, will support
PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy
This issue has been discussed on several mailinglists recently.

It already does, but you have to use the right cipher suites.

Also see ITS #7595 http://www.openldap.org/its/index.cgi/Incoming?id=7595

http://www.openldap.org/doc/admin24/tls.html mentions directive
'TLSEphemeralDHParamFile' whereas slapd.conf(5) mentions 'TLSDHParamFile'.

Please let me note that 'TLSDHParamFile' is just a terrible identifier. How
large is the fine for using underscores like in 'TLS_DH_ParamFile'? ;-)

You're about 8 years late to be making that suggestion.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/