Emmanuel Dreyfus wrote:
On Tue, Jul 14, 2015 at 05:25:54PM +0200, Jens Vagelpohl wrote:
Server Temp Key: DH, 1024 bits
Indeed I confirm OpenLDAP 2.4.40 support for TLSDHParamFile is broken.
The problems seems that slapd wants to set the DH parameters through
a callback, and I do not see how we can tell OpenSSL what DH parameter
length we want in that case. Hence it defaults to 1024 bits.
The attached patch is a first attempt to fix the problem:
- set DH parameter for once if they are supplied through TLSDHParamFile,
instead of using a callback
- Do use SSL_OP_SINGLE_DH_USE (sendmail does that). I do not know whether
it should also be used in the callback case.
- And while there add the code to support ECDH, it is simple and it does
not hurt (This is the same code I contributed to sendmail).
Opinions? Appart that I must file an ITS?
No ITS needed, this code was already rewritten in HEAD, ITS#7506.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
