From: Howard Chu <hyc@openldap.org>
Date: Thu, 19 Jan 2006 18:28:20 +0000 (+0000)
Subject: ITS#4354 add a note about avoiding Anonymous DH.
X-Git-Tag: OPENLDAP_REL_ENG_2_4_BP~285
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=17dbef6ba837703c50a9b6b1000a929e774b26f9;p=openldap

ITS#4354 add a note about avoiding Anonymous DH.
---

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 183ef420d1..c07d1f900a 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -963,7 +963,11 @@ it is of critical importance that it is protected carefully.
 This directive specifies the file that contains parameters for Diffie-Hellman
 ephemeral key exchange.  This is required in order to use a DSA certificate on
 the server. If multiple sets of parameters are present in the file, all of
-them will be processed.
+them will be processed.  Note that setting this option may also enable
+Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
+You should append "!ADH" to your cipher suites if you have changed them
+from the default, otherwise no certificate exchanges or verification will
+be done.
 .TP
 .B TLSRandFile <filename>
 Specifies the file to obtain random bits from when /dev/[u]random