[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: how to tell client to use ssf=256 instead of ssf=128
- To: Tobias Hachmer <lists@kokelnet.de>
- Subject: Re: how to tell client to use ssf=256 instead of ssf=128
- From: Erwann Abalea <eabalea@gmail.com>
- Date: Mon, 8 Oct 2012 21:01:36 +0200
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tBFvSifjkoNNjpfsVQp15Fqkx6BRPvno79Ll+jy2tTc=; b=hDeMF7gmW9MFIWh8Dkni4KHAtatlwoRyxKPBr+k3YrtheaPLqjqw7LIKEJyxFYcRpD rfHf82XfOyUvjxVz9bZW3OSrL+00PjtpvsUtmCDdr2eX9nPWeiZhntWfzv8PBPw9MK+w Is1JfCkkRtkhxWkdpNLwpzLQEIZVuQvH9OkLeiMG3VOBlqwxHTPBdoZ8uo14dYZaWWa4 bV32BnOQvxOLxONHwNnmUx5ua13/tVXfIXJiH+GhomTEUO8tZCZaGtx4K7fYDKytXyEB ZdqqlxHmLxaZHAM0wkU8nhnjEEuqdcX3t3HTN8ZOiwwRuVuFL1u7uMCA0ddMEPOyoKbk WpFw==
- In-reply-to: <e5eea787c4bd5964b0fe49817b8036ac@hachmer.de>
- References: <e5eea787c4bd5964b0fe49817b8036ac@hachmer.de>
Bonsoir,
2012/10/8 Tobias Hachmer <lists@kokelnet.de>:
> I'm using openldap 2.4.28 on ubuntu server and configured TLS.
> I want to allow write operations only when ssf=256 is used. (security
> update_ssf=256)
[...]
> 1. Why is the client connecting with ssf=128?
That's a result of ciphersuite negociation.
> 2. Can I influence the ssf used by client, if yes, how?
Just allow 256bits ciphersuites on the client or the server, or place
256bits ciphersuites first in the list.
Try adding this to your global ldap.conf or locap .ldaprc file:
TLS_CIPHER_SUITE AES256
or
TLS_CIPHER_SUITE SECURE256
Depending on the crypto library used (OpenSSL or GNUTLS).
> 3. Maybe a certificate issue?
No. You can do DES (56bits) or AES256 with the same certificate.
--
Erwann.