9054 – Add support for multiple EECDH curves

Issue 9054 - Add support for multiple EECDH curves

Summary: Add support for multiple EECDH curves

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	2.4.47
Hardware:	All All

Importance:	--- normal
Target Milestone:	2.4.52
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-07-16 20:45 UTC by Quanah Gibson-Mount
Modified:	2020-08-28 21:54 UTC (History)
CC List:	0 users

See Also:	9325

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Quanah Gibson-Mount 2019-07-16 20:45:37 UTC

Full_Name: Quanah Gibson-Mount
Version: 2.4.47
OS: N/A
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.128.44)


Currently OpenLDAP only allows for a single EECDH curve to be configured. 
However, OpenSSL 1.0.2 released in January 2015 was the first release to
implement negotiation of supported curves in TLS servers.  OpenLDAP needs
updating to support this functionality.

Comment 1 Quanah Gibson-Mount 2019-07-16 23:39:08 UTC

--On Tuesday, July 16, 2019 9:45 PM +0000 quanah@openldap.org wrote:

> Full_Name: Quanah Gibson-Mount
> Version: 2.4.47
> OS: N/A
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (47.208.128.44)
>
>
> Currently OpenLDAP only allows for a single EECDH curve to be configured.
> However, OpenSSL 1.0.2 released in January 2015 was the first release to
> implement negotiation of supported curves in TLS servers.  OpenLDAP needs
> updating to support this functionality.


tls_dh.c in postfix/src/tls_dh.c gives some insight into how to correctly 
do this with OpenSSL, in the tls_auto_eecdh_curves fucntion.

--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Comment 2 Quanah Gibson-Mount 2020-08-21 18:38:17 UTC

OL head:

Commits: 
  • 2386a116 
by Howard Chu at 2020-08-21T07:58:07+01:00 
ITS#9054 Add support for multiple EECDH curves

Requires OpenSSL 1.0.2 or newer

Comment 3 Quanah Gibson-Mount 2020-08-21 19:10:32 UTC

additional in master for slapd:
Commits: 
  • 650b1404 
by Howard Chu at 2020-08-21T20:06:56+01:00 
ITS#9054, #9318 add new TLS options to slapd bindconf

Comment 4 Quanah Gibson-Mount 2020-08-24 15:15:38 UTC

RE24:

  • aacec4c8 
by Howard Chu at 2020-08-21T22:21:43+00:00 
ITS#9054 Add support for multiple EECDH curves

Requires OpenSSL 1.0.2 or newer

  • a9f42b12 
by Howard Chu at 2020-08-21T23:02:11+00:00 
ITS#9054, #9318 add new TLS options to slapd bindconf

For use with back-ldap/back-meta/syncrepl/etc

Comment 5 Quanah Gibson-Mount 2020-08-27 15:08:15 UTC

head:

Commits: 
  • 53676779 
by Howard Chu at 2020-08-27T11:22:58+01:00 
ITS#9054 fix typo

RE24:

Commits: 
  • d2139d5c 
by Howard Chu at 2020-08-27T15:05:46+00:00 
ITS#9054 fix typo

Comment 6 Quanah Gibson-Mount 2020-08-28 15:30:21 UTC

trunk:
Commits: 
  • d5ed7c50 
by Howard Chu at 2020-08-28T11:09:25+01:00 
ITS#9054, #9318 document new TLS options in slapd

RE24:

Commits: 
  • cfc231a5 
by Howard Chu at 2020-08-28T15:27:59+00:00 
ITS#9054, #9318 document new TLS options in slapd