On Fri, 6 Sep 2013, Michael Ströder wrote:
Dieter Klünter wrote:
> I wonder whether openldap, if compiled with openssl-1.x, will support
> PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy
> This issue has been discussed on several mailinglists recently.
Tests on my local system (with OpenSSL 1.0.1e shipped with distribution) using
sslscan with no cipher configuration directives in the server configurations
(only listing the "Accepted").
Any reason why the *DHE* ciphers seems not to be supported during
scan which they are with Apache on the very same system?
Because you have to set the TLSDHParamFile / olcTLSDHParamFile config
If that file doesn't contain DH parameters for the requested key length,
then slapd/libldap will use compiled in parameters for 512/1024/2048/4096
lengths or generate parameters on the fly, so you can just use /dev/null
as the 'file' for the option.
Once you add that, slapd will negotiate DHE cipher suites.