From: Howard Chu Date: Sat, 7 Sep 2013 13:50:30 +0000 (-0700) Subject: ITS#7506 more doc updates X-Git-Tag: OPENLDAP_REL_ENG_2_4_45~139 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=cb7434eb4736062e65bc148a0c9c86c7b4e08d08;p=openldap ITS#7506 more doc updates --- diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index ad1ccad277..dce7beeb7a 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -910,12 +910,15 @@ browser. Press 'Enter' for the new password. .B olcTLSDHParamFile: This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable +the server, or an RSA certificate missing the "key encipherment" key usage. +Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly +Anonymous key exchanges should generally be avoided since they provide no +actual client or server authentication and provide no protection against +man-in-the-middle attacks. +You should append "!ADH" to your cipher suites to ensure that these suites +are not used. +When using Mozilla NSS these parameters are always generated randomly so this directive is ignored. .TP .B olcTLSProtocolMin: [.] diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 0f100bbdb4..0280ab7485 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1141,13 +1141,16 @@ browser. Press 'Enter' for the new password. .B TLSDHParamFile This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable +the server, or an RSA certificate missing the "key encipherment" key usage. +Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS these parameters are always generated randomly so -this directive is ignored. This directive is ignored when using Mozilla NSS. +Anonymous key exchanges should generally be avoided since they provide no +actual client or server authentication and provide no protection against +man-in-the-middle attacks. +You should append "!ADH" to your cipher suites to ensure that these suites +are not used. +When using Mozilla NSS these parameters are always generated randomly +so this directive is ignored. .TP .B TLSProtocolMin [.] Specifies minimum SSL/TLS protocol version that will be negotiated.