15 Jul
2015
15 Jul
'15
8:35 a.m.
Emmanuel Dreyfus wrote:
On Tue, Jul 14, 2015 at 05:25:54PM +0200, Jens Vagelpohl wrote:
Server Temp Key: DH, 1024 bits
Indeed I confirm OpenLDAP 2.4.40 support for TLSDHParamFile is broken. The problems seems that slapd wants to set the DH parameters through a callback, and I do not see how we can tell OpenSSL what DH parameter length we want in that case. Hence it defaults to 1024 bits.
The attached patch is a first attempt to fix the problem:
- set DH parameter for once if they are supplied through TLSDHParamFile, instead of using a callback
- Do use SSL_OP_SINGLE_DH_USE (sendmail does that). I do not know whether it should also be used in the callback case.
- And while there add the code to support ECDH, it is simple and it does not hurt (This is the same code I contributed to sendmail).
Opinions? Appart that I must file an ITS?
No ITS needed, this code was already rewritten in HEAD, ITS#7506.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/