Hi
I tried to use ciphers that bring PFS for OpenLDAP, but it did not work. I used this cipher specification:
TLSCipherSuite ECDH:DH:!SHA:!MD5:!aNULL:!eNULL
I test it this way: for i in `openssl ciphers ALL|tr ':' '\n'` ; do echo ''|openssl s_client -cipher $i -connect server:636 \ 2>/dev/null |awk '/ Cipher/{print }' ; done
I get nothing. I understand ECDH needs some support code, but why aren't DH ciphers available?
Emmanuel Dreyfus wrote:
Hi
I tried to use ciphers that bring PFS for OpenLDAP, but it did not work. I used this cipher specification:
TLSCipherSuite ECDH:DH:!SHA:!MD5:!aNULL:!eNULL
I test it this way: for i in `openssl ciphers ALL|tr ':' '\n'` ; do echo ''|openssl s_client -cipher $i -connect server:636 \ 2>/dev/null |awk '/ Cipher/{print }' ; done
I get nothing. I understand ECDH needs some support code, but why aren't DH ciphers available?
Read the slapd.conf(5) or slapd-config(5) manpage. You must configure the TLSDHParamFile.
Your ciphersuite is wrong anyway. You want DHE, not DH, for PFS.
On Wed, Sep 18, 2013 at 11:19:27PM -0700, Howard Chu wrote:
Read the slapd.conf(5) or slapd-config(5) manpage. You must configure the TLSDHParamFile.
Thanks.
Your ciphersuite is wrong anyway. You want DHE, not DH, for PFS.
Either I miss something subbtle, or I am right:
$ openssl ciphers DH:!SHA:!aNULL|tr ':' '\n' DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256
$ openssl ciphers DHE:!SHA:!aNULL|tr ':' '\n' Error in cipher list
Emmanuel Dreyfus manu@netbsd.org wrote:
Read the slapd.conf(5) or slapd-config(5) manpage. You must configure the TLSDHParamFile.
Thanks.
It works fine. I thought I had a problem with MacOS X machines causing "TLS negotiation faied" messages, but they also do it without the change. It seems each time I type "id some_user" in MacOS X's shell, it will always attempt a first TCP connexion to the LDAP server, fail TLS without sending anything, and then attempt a second TCP connexion with TLS.
Weird. I don't ask for an answer on this question but just post it for future reference in case someone has the same behavior: this TLS negotiation failure is not a failure.
On Thu, 19 Sep 2013, Emmanuel Dreyfus wrote:
I tried to use ciphers that bring PFS for OpenLDAP, but it did not work. I used this cipher specification:
...
I get nothing. I understand ECDH needs some support code, but why aren't DH ciphers available?
To point to my answer on the thread 12 days ago: http://www.openldap.org/lists/openldap-technical/201309/msg00091.html
Philip Guenther
openldap-technical@openldap.org
-
Emmanuel Dreyfus -
Howard Chu -
manu@netbsd.org
-
Philip Guenther