On Tue, Jul 14, 2015 at 05:25:54PM +0200, Jens Vagelpohl wrote:
Server Temp Key: DH, 1024 bits
Indeed I confirm OpenLDAP 2.4.40 support for TLSDHParamFile is broken.
The problems seems that slapd wants to set the DH parameters through
a callback, and I do not see how we can tell OpenSSL what DH parameter
length we want in that case. Hence it defaults to 1024 bits.
The attached patch is a first attempt to fix the problem:
- set DH parameter for once if they are supplied through TLSDHParamFile,
instead of using a callback
- Do use SSL_OP_SINGLE_DH_USE (sendmail does that). I do not know whether
it should also be used in the callback case.
- And while there add the code to support ECDH, it is simple and it does
not hurt (This is the same code I contributed to sendmail).
Opinions? Appart that I must file an ITS?