Philip Guenther wrote:
On Fri, 6 Sep 2013, Michael Ströder wrote:
Dieter Klünter wrote:
I wonder whether openldap, if compiled with openssl-1.x, will support PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy This issue has been discussed on several mailinglists recently.
Hmm...
Tests on my local system (with OpenSSL 1.0.1e shipped with distribution) using sslscan with no cipher configuration directives in the server configurations (only listing the "Accepted").
...
Any reason why the *DHE* ciphers seems not to be supported during OpenLDAP scan which they are with Apache on the very same system?
Because you have to set the TLSDHParamFile / olcTLSDHParamFile config option.
If that file doesn't contain DH parameters for the requested key length, then slapd/libldap will use compiled in parameters for 512/1024/2048/4096 lengths or generate parameters on the fly, so you can just use /dev/null as the 'file' for the option.
Once you add that, slapd will negotiate DHE cipher suites.
Oh yeah, TLSDHParamFile /dev/null did the trick. Thanks.
And also invoking
openssl dhparam -out /etc/openldap/ssl.key/dhparam 2048
and setting
TLSDHParamFile /etc/openldap/ssl.key/dhparam
Ciao, Michael.