.B olcTLSDHParamFile: <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
ephemeral key exchange. This is required in order to use a DSA certificate on
-the server. If multiple sets of parameters are present in the file, all of
-them will be processed. Note that setting this option may also enable
+the server, or an RSA certificate missing the "key encipherment" key usage.
+Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
-You should append "!ADH" to your cipher suites if you have changed them
-from the default, otherwise no certificate exchanges or verification will
-be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly
+Anonymous key exchanges should generally be avoided since they provide no
+actual client or server authentication and provide no protection against
+man-in-the-middle attacks.
+You should append "!ADH" to your cipher suites to ensure that these suites
+are not used.
+When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
.B olcTLSProtocolMin: <major>[.<minor>]
.B TLSDHParamFile <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
ephemeral key exchange. This is required in order to use a DSA certificate on
-the server. If multiple sets of parameters are present in the file, all of
-them will be processed. Note that setting this option may also enable
+the server, or an RSA certificate missing the "key encipherment" key usage.
+Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
-You should append "!ADH" to your cipher suites if you have changed them
-from the default, otherwise no certificate exchanges or verification will
-be done. When using GnuTLS these parameters are always generated randomly so
-this directive is ignored. This directive is ignored when using Mozilla NSS.
+Anonymous key exchanges should generally be avoided since they provide no
+actual client or server authentication and provide no protection against
+man-in-the-middle attacks.
+You should append "!ADH" to your cipher suites to ensure that these suites
+are not used.
+When using Mozilla NSS these parameters are always generated randomly
+so this directive is ignored.
.TP
.B TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
projects / openldap / commitdiff