[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Perfect Forward Secrecy

On Fri, 6 Sep 2013, Michael Ströder wrote:
> Dieter Klünter wrote:
> > I wonder whether openldap, if compiled with openssl-1.x, will support
> > PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy
> > This issue has been discussed on several mailinglists recently.
> Hmm...
> Tests on my local system (with OpenSSL 1.0.1e shipped with distribution) using
> sslscan with no cipher configuration directives in the server configurations
> (only listing the "Accepted").
> Any reason why the *DHE* ciphers seems not to be supported during OpenLDAP
> scan which they are with Apache on the very same system?

Because you have to set the TLSDHParamFile / olcTLSDHParamFile config 

If that file doesn't contain DH parameters for the requested key length, 
then slapd/libldap will use compiled in parameters for 512/1024/2048/4096 
lengths or generate parameters on the fly, so you can just use /dev/null 
as the 'file' for the option.

Once you add that, slapd will negotiate DHE cipher suites.

Philip Guenther