Am Tue, 14 Jul 2015 17:25:54 +0200 schrieb Jens Vagelpohl <[email protected]>:
> Hi all, > > In my setup (CentOS7, OpenLDAP 2.4.41 from the LDAP Tool Box project) > I am using the following slapd.conf parameters for SSL-related > configuration: > > TLSProtocolMin 3.1 > TLSCertificateFile /etc/pki/tls/certs/NNN.crt > TLSCertificateKeyFile /etc/pki/tls/private/NNN.key > TLSCACertificateFile /etc/pki/tls/certs/NNN.ca.pem > TLSDHParamFile /usr/local/openldap/etc/openldap/dh_2048.pem > TLSCipherSuite AESGCM:!RSA:!DSS:!ADH:!aECDH > > The file /usr/local/openldap/etc/openldap/dh_2048.pem is a valid DH > parameter file with size 2048: > > <snip> > # openssl dh -in /usr/local/openldap/etc/openldap/dh_2048.pem -text > -noout PKCS#3 DH Parameters: (2048 bit) > prime: > </snip> > > I am now testing the actual DH parameter size used during a TLS > connection with instructions from > https://bettercrypto.org/blog/2015/05/20/tls-logjam/ and it only > shows DH parameter size 1024: > > <snip> > $ echo | openssl s_client -connect alias01.alias.ooo:636 -cipher > "EDH" 2>/dev/null … much output … > No client certificate CA names sent > Peer signing digest: SHA512 > Server Temp Key: DH, 1024 bits > </snip> > > I was expecting "Server Temp Key: DH, 2048 bits”. Am I just testing > this the wrong way or is there an issue with DH parameter > configurations in OpenLDAP? You may have read this article https://sys4.de/de/blog/2013/09/09/perfect-forward-secrecy-eine-zusammenfassung/ -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
