Michael Ströder wrote:
Quanah Gibson-Mount wrote:
> --On Friday, January 10, 2014 11:18 AM +0100 Michael Ströder
> <michael(a)stroeder.com> wrote:
>>
>> Hmm, ITS#7683 was meant to show which clients are connecting with Perfect
>> Forward Secrecy.
>
> The change does not apply cleanly and results in a substantial number of merge
> issues. Given this, it will not be merged into the RE24 branch. It will be
> part of 2.5.
I can't believe that the OpenLDAP project wants to postpone such a important
feature for another year or two (until 2.5 stable release). Today all mail and
HTTP servers can log the TLS cipher negotiated for a connection. It's a really
urgent feature to centrally examine existing client configurations.
2.4 is in feature freeze. We tried to accomodate your request, despite the
freeze, but the code changes are too extensive. The idea here is to quit
making any major upheavals in the 2.4 branch, not keep adding them in perpetuity.
Examining client configuration really isn't even relevant. If you want to
ensure that a secure cipher is negotiated, then configure a narrower set of
supported ciphers. This is hardly as critical a feature as you make it out to be.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/