[Issue 9687] New: olcTLSECName is not required in order to use ECDHE-based cipher suites in OpenSSL

openldap-its Sat, 11 Sep 2021 02:13:29 -0700

https://bugs.openldap.org/show_bug.cgi?id=9687


          Issue ID: 9687
           Summary: olcTLSECName is not required in order to use
                    ECDHE-based cipher suites in OpenSSL
           Product: OpenLDAP
           Version: 2.5.7
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: documentation
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

SLAPD-CONFIG(5) says that olcTLSECName is used to set the names of the Elliptic
Curves.  It does not say, that the option is required, nor does it say what
happens, when the option is not set.

https://www.openldap.org/doc/admin25/tls.html#TLS%20Configuration says for
TLSECName: This is required in order to use ECDHE-based cipher suites in
OpenSSL.

I do not set TLSECName and call

  ./testssl.sh ldap.aegee.org:636

which prints:

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits    
Cipher Suite Name (IANA/RFC)                                                   
-----------------------------------------------------------------------------------------------------------------------------
 
TLSv1 (server order)
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256     
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128     
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
TLSv1.1 (server order)
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256     
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128     
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
TLSv1.2 (server order)
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256     
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256     
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128     
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256     
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128     
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256     
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128     
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
TLSv1.3 (server order)
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256     
TLS_AES_256_GCM_SHA384                             
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256     
TLS_CHACHA20_POLY1305_SHA256                       
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128     
TLS_AES_128_GCM_SHA256                             

 Testing robust forward secrecy (FS) -- omitting Null
Authentication/Encryption, 3DES, RC4 

 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 X448 

This means, that when olcTLSECName is not set, OpenSSL defaults are used, and
ECDHE-based cipher suites are still offered.

testssl.sh can be obtianed from https://github.com/drwetter/testssl.sh .

-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 9687] New: olcTLSECName is not required in order to use ECDHE-based cipher suites in OpenSSL

Reply via email to