Hi,
while I was trying to find out why slapd does not use Perfect Forward Secrecy I found bug #7506 from september 2013. The patch has already been applied to the master branch but still cannot be found in any released version since. Why is this so? I would like to see good encryption in OpenLDAP for Debian.
Regards,
Christopher
Christopher Odenbach wrote:
while I was trying to find out why slapd does not use Perfect Forward Secrecy I found bug #7506 from september 2013. The patch has already been applied to the master branch but still cannot be found in any released version since. Why is this so? I would like to see good encryption in OpenLDAP for Debian.
I'm having PFS with OpenLDAP linked against OpenSSL after setting TLSDHParamFile to point to a file generated with "openssl dhparam".
Not sure whether it works with Debian version which is linked against GnuTLS though.
Ciao, Michael.
Am 05.11.2014 um 15:45 schrieb Michael Ströder:
I'm having PFS with OpenLDAP linked against OpenSSL after setting TLSDHParamFile to point to a file generated with "openssl dhparam".
Not sure whether it works with Debian version which is linked against GnuTLS though.
The patch applies mainly to OpenLDAP with GnuTLS:
Christopher
Hi,
while I was trying to find out why slapd does not use Perfect Forward Secrecy I found bug #7506 from september 2013. The patch has already been applied to the master branch but still cannot be found in any released version since. Why is this so? I would like to see good encryption in OpenLDAP for Debian.
Anyone willing to give an answer to my question? I am glad the patch was accepted originally but I need it in the releases.
Thanks,
Christopher
Am Mon, 10 Nov 2014 14:11:59 +0100 schrieb Christopher Odenbach odenbach@uni-paderborn.de:
Hi,
while I was trying to find out why slapd does not use Perfect Forward Secrecy I found bug #7506 from september 2013. The patch has already been applied to the master branch but still cannot be found in any released version since. Why is this so? I would like to see good encryption in OpenLDAP for Debian.
Anyone willing to give an answer to my question? I am glad the patch was accepted originally but I need it in the releases.
You should pobably read GnuTLS Docs on this matter, and this blog for background information.
https://sys4.de/de/blog/2013/09/09/perfect-forward-secrecy-eine-zusammenfass...
-Dieter
Am 10.11.2014 um 17:44 schrieb Dieter Klünter:
You should pobably read GnuTLS Docs on this matter, and this blog for background information.
https://sys4.de/de/blog/2013/09/09/perfect-forward-secrecy-eine-zusammenfass...
I have already read this blog, I know about the dh-params file. The problem I am talking about was in OpenLDAP master until last year, then it was fixed. But this fix has not found its way into the releases yet. I just ask the question why and when we will be able to see it in the releases.
The patch I am talking about:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=622d13a32...
But even in 2.4.40 the bug is still present (with GnuTLS there are no DH ciphers available).
Christopher
--On November 10, 2014 at 6:38:18 PM +0100 Christopher Odenbach odenbach@uni-paderborn.de wrote:
Am 10.11.2014 um 17:44 schrieb Dieter Klünter:
You should pobably read GnuTLS Docs on this matter, and this blog for background information.
https://sys4.de/de/blog/2013/09/09/perfect-forward-secrecy-eine-zusammen fassung
I have already read this blog, I know about the dh-params file. The problem I am talking about was in OpenLDAP master until last year, then it was fixed. But this fix has not found its way into the releases yet. I just ask the question why and when we will be able to see it in the releases.
The patch I am talking about:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=622d13 a32ec8d623c26a11b60b63e443dc86df99
But even in 2.4.40 the bug is still present (with GnuTLS there are no DH ciphers available).
It will definitely be in OpenLDAP 2.5.x
--Quanah
openldap-technical@openldap.org