Changeset - f40ea7a33c89
Parent rev.
Child rev.
[Not reviewed]
0 1 0
Branko Majic (branko) - 9 months ago 2023-08-11 01:08:56
branko@majic.rs
MAR-181: Update warning about DH parameter usage by the ldap_server role.
1 file changed with 3 insertions and 8 deletions:
docs/rolereference.rst
3
8
0 comments (0 inline, 0 general)
docs/rolereference.rst
Show inline comments
 
@@ -757,14 +757,9 @@ Parameters
 
**ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+SHA512:+AEAD:+AES-128-GCM:+AES-256-GCM:+CHACHA20-POLY1305:+CURVE-ALL``)
 

			




	
	
	
		
 
  .. warning::

			




	
	
	
		
 
     Under Debian Stretch, the DHE ciphers are not usable due to a bug

			




	
	
	
		
 
     present in OpenLDAP 2.4.44. See

			




	
	
	
		
 
     https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979

			




	
	
	
		
 
     for details. DHE ciphers are usable under Debian Buster.

			




	
	
	
		
 

			




	
	
	
		
 
     It should be also noted that under Debian Buster, slapd will not

			




	
	
	
		
 
     use the DH parameters generated by the role, but will instead use

			




	
	
	
		
 
     them to pick one of the recommended DH parameters from `RFC-7919

			




	
	
	
		
 
     Under Debian Buster, slapd will not use the DH parameters

			




	
	
	
		
 
     generated by the role, but will instead use them to pick one of

			




	
	
	
		
 
     the recommended DH parameters from `RFC-7919

			




	
	
	
		
 
     <https://www.ietf.org/rfc/rfc7919.txt>`_. This is based on the

			




	
	
	
		
 
     size of role-generated parameters.

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.