Michael Ströder wrote:
Quanah Gibson-Mount wrote:
--On Friday, January 10, 2014 11:18 AM +0100 Michael Ströder michael@stroeder.com wrote:
Hmm, ITS#7683 was meant to show which clients are connecting with Perfect Forward Secrecy.
The change does not apply cleanly and results in a substantial number of merge issues. Given this, it will not be merged into the RE24 branch. It will be part of 2.5.
I can't believe that the OpenLDAP project wants to postpone such a important feature for another year or two (until 2.5 stable release). Today all mail and HTTP servers can log the TLS cipher negotiated for a connection. It's a really urgent feature to centrally examine existing client configurations.
2.4 is in feature freeze. We tried to accomodate your request, despite the freeze, but the code changes are too extensive. The idea here is to quit making any major upheavals in the 2.4 branch, not keep adding them in perpetuity.
Examining client configuration really isn't even relevant. If you want to ensure that a secure cipher is negotiated, then configure a narrower set of supported ciphers. This is hardly as critical a feature as you make it out to be.