On Tue, Jul 14, 2015 at 05:25:54PM +0200, Jens Vagelpohl wrote:
Server Temp Key: DH, 1024 bits
Indeed I confirm OpenLDAP 2.4.40 support for TLSDHParamFile is broken. The problems seems that slapd wants to set the DH parameters through a callback, and I do not see how we can tell OpenSSL what DH parameter length we want in that case. Hence it defaults to 1024 bits.
The attached patch is a first attempt to fix the problem: - set DH parameter for once if they are supplied through TLSDHParamFile, instead of using a callback - Do use SSL_OP_SINGLE_DH_USE (sendmail does that). I do not know whether it should also be used in the callback case. - And while there add the code to support ECDH, it is simple and it does not hurt (This is the same code I contributed to sendmail).
Opinions? Appart that I must file an ITS?