Jens Vagelpohl wrote:
Hi all,
In my setup (CentOS7, OpenLDAP 2.4.41 from the LDAP Tool Box project) I am using the following slapd.conf parameters for SSL-related configuration:
TLSProtocolMin 3.1 TLSCertificateFile /etc/pki/tls/certs/NNN.crt TLSCertificateKeyFile /etc/pki/tls/private/NNN.key TLSCACertificateFile /etc/pki/tls/certs/NNN.ca.pem TLSDHParamFile /usr/local/openldap/etc/openldap/dh_2048.pem TLSCipherSuite AESGCM:!RSA:!DSS:!ADH:!aECDH
The file /usr/local/openldap/etc/openldap/dh_2048.pem is a valid DH parameter file with size 2048:
<snip> # openssl dh -in /usr/local/openldap/etc/openldap/dh_2048.pem -text -noout PKCS#3 DH Parameters: (2048 bit) prime: </snip>
I am now testing the actual DH parameter size used during a TLS connection with instructions from https://bettercrypto.org/blog/2015/05/20/tls-logjam/ and it only shows DH parameter size 1024:
<snip> $ echo | openssl s_client -connect alias01.alias.ooo:636 -cipher "EDH" 2>/dev/null … much output … No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: DH, 1024 bits </snip>
I was expecting "Server Temp Key: DH, 2048 bits”. Am I just testing this the wrong way or is there an issue with DH parameter configurations in OpenLDAP?
Works for me: ### subject=/C=US/ST=California/L=Los Angeles/O=Symas Corporation/OU=Intergalactic HQ/CN=localhost issuer=/C=US/ST=California/O=Symas Corporation/OU=Intergalactic HQ/CN=Symas Keymaster/emailAddress=admin@symas.com --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: DH, 2048 bits --- SSL handshake has read 3177 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 ### What is your cert's public key size?