From: Howard Chu Date: Sat, 7 Sep 2013 13:50:30 +0000 (-0700) Subject: ITS#7506 more doc updates X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=63926362a9c1f08b55307916581fbabe9e845d61;p=openldap ITS#7506 more doc updates --- diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index 2f8e6568a1..95621a1f25 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -920,12 +920,15 @@ browser. Press 'Enter' for the new password. .B olcTLSDHParamFile: This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable +the server, or an RSA certificate missing the "key encipherment" key usage. +Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly +Anonymous key exchanges should generally be avoided since they provide no +actual client or server authentication and provide no protection against +man-in-the-middle attacks. +You should append "!ADH" to your cipher suites to ensure that these suites +are not used. +When using Mozilla NSS these parameters are always generated randomly so this directive is ignored. .TP .B olcTLSProtocolMin: [.] diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 8840e3a51b..1a895c9d8b 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1151,13 +1151,16 @@ browser. Press 'Enter' for the new password. .B TLSDHParamFile This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable +the server, or an RSA certificate missing the "key encipherment" key usage. +Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS these parameters are always generated randomly so -this directive is ignored. This directive is ignored when using Mozilla NSS. +Anonymous key exchanges should generally be avoided since they provide no +actual client or server authentication and provide no protection against +man-in-the-middle attacks. +You should append "!ADH" to your cipher suites to ensure that these suites +are not used. +When using Mozilla NSS these parameters are always generated randomly +so this directive is ignored. .TP .B TLSProtocolMin [.] Specifies minimum SSL/TLS protocol version that will be negotiated.