https://bugs.openldap.org/show_bug.cgi?id=9687
Issue ID: 9687 Summary: olcTLSECName is not required in order to use ECDHE-based cipher suites in OpenSSL Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs@openldap.org Reporter: dpa-openldap@aegee.org Target Milestone: ---
SLAPD-CONFIG(5) says that olcTLSECName is used to set the names of the Elliptic Curves. It does not say, that the option is required, nor does it say what happens, when the option is not set.
https://www.openldap.org/doc/admin25/tls.html#TLS%20Configuration says for TLSECName: This is required in order to use ECDHE-based cipher suites in OpenSSL.
I do not set TLSECName and call
./testssl.sh ldap.aegee.org:636
which prints:
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- TLSv1 (server order) xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLSv1.1 (server order) xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLSv1.2 (server order) xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLSv1.3 (server order) x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256
Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448
This means, that when olcTLSECName is not set, OpenSSL defaults are used, and ECDHE-based cipher suites are still offered.
testssl.sh can be obtianed from https://github.com/drwetter/testssl.sh .
https://bugs.openldap.org/show_bug.cgi?id=9687
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |hyc@openldap.org Target Milestone|--- |2.5.8 Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=9687
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=7595
--- Comment #1 from Howard Chu hyc@openldap.org --- The docs were correct as of the time they were written, in 2013, using OpenSSL 1.0. I guess we can remove that note now that we're using OpenSSL 1.1.1 or newer.
https://bugs.openldap.org/show_bug.cgi?id=9687
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |TEST Status|UNCONFIRMED |RESOLVED
https://bugs.openldap.org/show_bug.cgi?id=9687
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- • a7717ae7 by Howard Chu at 2021-09-14T17:56:03+01:00 ITS#9687 TLSECName is no longer required with OpenSSL 1.1+
https://bugs.openldap.org/show_bug.cgi?id=9687
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
• 13f35c4d by Howard Chu at 2021-09-14T17:22:39+00:00 ITS#9687 TLSECName is no longer required with OpenSSL 1.1+
RE25:
Commits: • 53a32ae0 by Howard Chu at 2021-09-14T17:22:48+00:00 ITS#9687 TLSECName is no longer required with OpenSSL 1.1+
https://bugs.openldap.org/show_bug.cgi?id=9687
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- • 86baf9a5 by Howard Chu at 2021-09-14T18:54:05+01:00 ITS#9687 re-fix: refer to OpenSSL docs instead
https://bugs.openldap.org/show_bug.cgi?id=9687
--- Comment #5 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
Commits: • 039454b6 by Howard Chu at 2021-09-15T15:36:30+00:00 ITS#9687 re-fix: refer to OpenSSL docs instead
RE25:
Commits: • d6810115 by Howard Chu at 2021-09-15T15:39:55+00:00 ITS#9687 re-fix: refer to OpenSSL docs instead
https://bugs.openldap.org/show_bug.cgi?id=9687
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED Resolution|TEST |FIXED