CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2020/06/24 01:20:47
Modified files:
usr.sbin/ldapd : ldapd.conf.5 ldapd.h parse.y
Log message:
Using the "ldaps" or "tls" keywords in ldapd.conf currently enables all
protocols and ciphers. So you get a TLS server speaking TLSv1.0 and
supporting cipher suites with RC4 and 3DES encryption, all of which should
be considered broken. There is no way of disabling TLSv1.0 and TLSv1.1 in
ldapd. All this is also not very clearly called out in the documentation.
This commit switches the defaults to using the libtls defaults for both
protocols and ciphers. If compatibility with the insecure legacy protocols
and ciphers is needed, use the "legacy" keyword before "tls" or "ldaps" in
ldapd.conf.
tested by abieber.
inoguchi agrees with the direction.
ok beck
