[Issue 9687] New: olcTLSECName is not required in order to use ECDHE-based cipher suites in OpenSSL

11 Sep 2021


      https://bugs.openldap.org/show_bug.cgi?id=9687
Issue ID: 9687
           Summary: olcTLSECName is not required in order to use
                    ECDHE-based cipher suites in OpenSSL
           Product: OpenLDAP
           Version: 2.5.7
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: documentation
          Assignee: bugs@openldap.org
          Reporter: dpa-openldap@aegee.org
  Target Milestone: ---
SLAPD-CONFIG(5) says that olcTLSECName is used to set the names of the Elliptic
Curves.  It does not say, that the option is required, nor does it say what
happens, when the option is not set.
https://www.openldap.org/doc/admin25/tls.html#TLS%20Configuration says for
TLSECName: This is required in order to use ECDHE-based cipher suites in
OpenSSL.
I do not set TLSECName and call
./testssl.sh ldap.aegee.org:636
which prints:
Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits    
Cipher Suite Name (IANA/RFC)                                                   
----------------------------------------------------------------------------------------------------------------------------- 
TLSv1 (server order)
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256     
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128     
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
TLSv1.1 (server order)
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256     
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128     
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
TLSv1.2 (server order)
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256     
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256     
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128     
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256     
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128     
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256     
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128     
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
TLSv1.3 (server order)
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256     
TLS_AES_256_GCM_SHA384                             
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256     
TLS_CHACHA20_POLY1305_SHA256                       
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128     
TLS_AES_128_GCM_SHA256
Testing robust forward secrecy (FS) -- omitting Null
Authentication/Encryption, 3DES, RC4
Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 X448
This means, that when olcTLSECName is not set, OpenSSL defaults are used, and
ECDHE-based cipher suites are still offered.
testssl.sh can be obtianed from https://github.com/drwetter/testssl.sh .
-- 
You are receiving this mail because:
You are on the CC list for the issue.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[Issue 9687] New: olcTLSECName is not required in order to use ECDHE-based cipher suites in OpenSSL