Michael Ströder wrote:
Howard Chu wrote:
Dieter Klünter wrote:
Hi, I wonder whether openldap, if compiled with openssl-1.x, will support PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy This issue has been discussed on several mailinglists recently.
It already does, but you have to use the right cipher suites.
Also see ITS #7595 http://www.openldap.org/its/index.cgi/Incoming?id=7595
Please correct if I'm wrong. But this ITS seems to be about using the cipher suites based on elliptic curves with EC server key/cert.
But what about just the DHE-RSA cipher suites like DHE-RSA-AES256-SHA for TLSv1 with RSA-based server key/cert?
Why does Apache support this out-of-the-box and OpenLDAP 2.4.36 does not? Do I have to configure something else?
You have to configure TLSDHParamFile. This appears to be an oversight, while we have some default DH parameters hardcoded in libldap, none of them actually get used unless you've set the TLSDHParamFile directive. Also related to ITS#7506.