Dieter Klünter wrote:
I wonder whether openldap, if compiled with openssl-1.x, will support PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy This issue has been discussed on several mailinglists recently.
Hmm...
Tests on my local system (with OpenSSL 1.0.1e shipped with distribution) using sslscan with no cipher configuration directives in the server configurations (only listing the "Accepted").
OpenLDAP RE24 build:
Supported Server Cipher(s): Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 256 bits CAMELLIA256-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 128 bits SEED-SHA Accepted TLSv1 128 bits CAMELLIA128-SHA Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Accepted TLSv1 56 bits DES-CBC-SHA Accepted TLSv1 40 bits EXP-DES-CBC-SHA Accepted TLSv1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1 40 bits EXP-RC4-MD5 Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 256 bits CAMELLIA256-SHA Accepted TLSv1.1 168 bits DES-CBC3-SHA Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 128 bits SEED-SHA Accepted TLSv1.1 128 bits CAMELLIA128-SHA Accepted TLSv1.1 128 bits RC4-SHA Accepted TLSv1.1 128 bits RC4-MD5 Accepted TLSv1.1 56 bits DES-CBC-SHA Accepted TLSv1.1 40 bits EXP-DES-CBC-SHA Accepted TLSv1.1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1.1 40 bits EXP-RC4-MD5 Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 256 bits CAMELLIA256-SHA Accepted TLSv1.2 168 bits DES-CBC3-SHA Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 128 bits SEED-SHA Accepted TLSv1.2 128 bits CAMELLIA128-SHA Accepted TLSv1.2 128 bits RC4-SHA Accepted TLSv1.2 128 bits RC4-MD5 Accepted TLSv1.2 56 bits DES-CBC-SHA Accepted TLSv1.2 40 bits EXP-DES-CBC-SHA Accepted TLSv1.2 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1.2 40 bits EXP-RC4-MD5
Apache web server:
Supported Server Cipher(s): Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 256 bits CAMELLIA256-SHA Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-SEED-SHA Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 128 bits SEED-SHA Accepted TLSv1 128 bits CAMELLIA128-SHA Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA Accepted TLSv1 56 bits DES-CBC-SHA Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Accepted TLSv1 40 bits EXP-DES-CBC-SHA Accepted TLSv1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1 40 bits EXP-RC4-MD5 Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 256 bits CAMELLIA256-SHA Accepted TLSv1.1 168 bits EDH-RSA-DES-CBC3-SHA Accepted TLSv1.1 168 bits DES-CBC3-SHA Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1.1 128 bits DHE-RSA-SEED-SHA Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 128 bits SEED-SHA Accepted TLSv1.1 128 bits CAMELLIA128-SHA Accepted TLSv1.1 128 bits RC4-SHA Accepted TLSv1.1 128 bits RC4-MD5 Accepted TLSv1.1 56 bits EDH-RSA-DES-CBC-SHA Accepted TLSv1.1 56 bits DES-CBC-SHA Accepted TLSv1.1 40 bits EXP-EDH-RSA-DES-CBC-SHA Accepted TLSv1.1 40 bits EXP-DES-CBC-SHA Accepted TLSv1.1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1.1 40 bits EXP-RC4-MD5 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 256 bits CAMELLIA256-SHA Accepted TLSv1.2 168 bits EDH-RSA-DES-CBC3-SHA Accepted TLSv1.2 168 bits DES-CBC3-SHA Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA Accepted TLSv1.2 128 bits DHE-RSA-SEED-SHA Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 128 bits SEED-SHA Accepted TLSv1.2 128 bits CAMELLIA128-SHA Accepted TLSv1.2 128 bits RC4-SHA Accepted TLSv1.2 128 bits RC4-MD5 Accepted TLSv1.2 56 bits EDH-RSA-DES-CBC-SHA Accepted TLSv1.2 56 bits DES-CBC-SHA Accepted TLSv1.2 40 bits EXP-EDH-RSA-DES-CBC-SHA Accepted TLSv1.2 40 bits EXP-DES-CBC-SHA Accepted TLSv1.2 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1.2 40 bits EXP-RC4-MD5
Any reason why the *DHE* ciphers seems not to be supported during OpenLDAP scan which they are with Apache on the very same system?
Ciao, Michael.