On Fri, 6 Sep 2013, Michael Ströder wrote: > Dieter Klünter wrote: > > I wonder whether openldap, if compiled with openssl-1.x, will support > > PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy > > This issue has been discussed on several mailinglists recently. > > Hmm... > > Tests on my local system (with OpenSSL 1.0.1e shipped with distribution) using > sslscan with no cipher configuration directives in the server configurations > (only listing the "Accepted"). ... > Any reason why the *DHE* ciphers seems not to be supported during OpenLDAP > scan which they are with Apache on the very same system?
Because you have to set the TLSDHParamFile / olcTLSDHParamFile config option. If that file doesn't contain DH parameters for the requested key length, then slapd/libldap will use compiled in parameters for 512/1024/2048/4096 lengths or generate parameters on the fly, so you can just use /dev/null as the 'file' for the option. Once you add that, slapd will negotiate DHE cipher suites. Philip Guenther
