Ulrich Windl wrote:
Michael Ströder michael@stroeder.com schrieb am 20.10.2014 um 08:47 in
Nachricht 5444B01F.2050701@stroeder.com:
Ulrich Windl wrote:
Related question: If a slapcat of the config database doesn't show a value for TLSCipherSuite, does it mean it is some default value?
I'm pretty sure the default depends on the TLS lib used and how it was built for a certain OS.
Does it mean openLDAP has no idea about the default, unless you explicitly set it?
I think so. But maybe one of the core developers can confirm.
Also note that cipher key-words HIGH, MEDIUM etc. gets mapped to some library specific cipher sets which can change. E.g. OpenSSL project decided to limit the set of ciphers defined with HIGH.
Which is...
=> always set TLSCipherSuite explicitly
..yet another reason to define TLS protocols and ciphers explicitly.
Ciao, Michael.