From 00809706e495f9dc42a1ae84d47a397dacc8c6bd Mon Sep 17 00:00:00 2001 From: Ben Jencks Date: Sun, 27 Jan 2013 18:42:17 -0500 Subject: [PATCH 3/3] DHParamFile: Update docs Update docs to reflect changes in handling and fix some errors. --- doc/guide/admin/tls.sdf | 14 ++++++++------ doc/man/man5/slapd-config.5 | 8 ++------ doc/man/man5/slapd.conf.5 | 10 +++------- 3 files changed, 13 insertions(+), 19 deletions(-) diff --git a/doc/guide/admin/tls.sdf b/doc/guide/admin/tls.sdf index 00bf83c..cd8343d 100644 --- a/doc/guide/admin/tls.sdf +++ b/doc/guide/admin/tls.sdf @@ -188,18 +188,20 @@ and it doesn't need very much data to work. This directive is ignored with GnuTLS and Mozilla NSS. -H4: TLSEphemeralDHParamFile +H4: TLSDHParamFile This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order -to use a DSA certificate on the server side (i.e. -{{EX:TLSCertificateKeyFile}} points to a DSA key). Multiple sets -of parameters can be included in the file; all of them will be -processed. Parameters can be generated using the following command +to use DHE-based cipher suites, including all DSA-based suites (i.e. +{{EX:TLSCertificateKeyFile}} points to a DSA key), and RSA when the 'key +encipherment' key usage is not specified in the certificate. Parameters can be +generated using the following command > openssl dhparam [-dsaparam] -out +or +> certtool --generate-dh-params --bits --outfile -This directive is ignored with GnuTLS and Mozilla NSS. +This directive is ignored with Mozilla NSS. H4: TLSVerifyClient { never | allow | try | demand } diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index c157500..30f7214 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -920,12 +920,8 @@ browser. Press 'Enter' for the new password. .B olcTLSDHParamFile: This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable -Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly +the server, or an RSA certificate missing the "key encipherment" key usage. +When using Mozilla NSS these parameters are always generated randomly so this directive is ignored. .TP .B olcTLSRandFile: diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 7471d62..b7efe0b 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1151,13 +1151,9 @@ browser. Press 'Enter' for the new password. .B TLSDHParamFile This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable -Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS these parameters are always generated randomly so -this directive is ignored. This directive is ignored when using Mozilla NSS. +the server, or an RSA certificate missing the "key encipherment" key usage. +When using Mozilla NSS these parameters are always generated randomly +so this directive is ignored. .TP .B TLSRandFile Specifies the file to obtain random bits from when /dev/[u]random -- 1.7.9.5