[email protected] wrote: > Full_Name: Jan Bramkamp > Version: 2.4.35 > OS: FreeBSD 9.1 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (79.230.127.217) > > > OpenLDAP supports PFS TLS cipher suites using DHE with the > DH *tlso_tmp_dh_cb(SSL*,int,int) callback in libraries/libldap/tls_o.c. > DHE-RSA/DSS cipher suites are very CPU intensive and noticeably increase > latency > on low-power hardware. While OpenLDAP supports ECDH-ECDSA cipher suites these > lack the PFS offered by DHE-RSA/DSS cipher suites. > >>From my initial search it looks like the correct API to register such a >>callback > would be SSL_CTX_set_tmp_ecdh_callback(), but im not familiar the OpenLDAP > code > base so patching it my self could have unintended consequences. > > This how the CA was generated: > CURVE=secp384r1 > > openssl ecparam -out private/ca-key.pem -name $CURVE -genkey && > openssl req -new -x509 -days 365 -key private/ca-key.pem -out > certs/ca-cert.pem > > openssl ecparam -out private/auth1-key.pem -name $CURVE -genkey && > openssl req -new -key private/auth1-key.pem -out newcerts/auth1-csr.pem > && > openssl ca -config /usr/local/openssl/openssl.cnf -out > certs/auth1-cert.pem > -infiles newcerts/auth1-csr.pem > > The (EC)DH paramter file was generated with: > openssl ecparam -name $CURVE > > This was tested with slapd linked against OpenSSL 1.0.1e from ports on FreeBSD > 9.1/amd64. > > Some background info in this thread http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
