From 63926362a9c1f08b55307916581fbabe9e845d61 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sat, 7 Sep 2013 06:50:30 -0700 Subject: [PATCH] ITS#7506 more doc updates --- doc/man/man5/slapd-config.5 | 13 ++++++++----- doc/man/man5/slapd.conf.5 | 15 +++++++++------ 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index 2f8e6568a1..95621a1f25 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -920,12 +920,15 @@ browser. Press 'Enter' for the new password. .B olcTLSDHParamFile: This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable +the server, or an RSA certificate missing the "key encipherment" key usage. +Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly +Anonymous key exchanges should generally be avoided since they provide no +actual client or server authentication and provide no protection against +man-in-the-middle attacks. +You should append "!ADH" to your cipher suites to ensure that these suites +are not used. +When using Mozilla NSS these parameters are always generated randomly so this directive is ignored. .TP .B olcTLSProtocolMin: [.] diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 8840e3a51b..1a895c9d8b 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1151,13 +1151,16 @@ browser. Press 'Enter' for the new password. .B TLSDHParamFile This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable +the server, or an RSA certificate missing the "key encipherment" key usage. +Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS these parameters are always generated randomly so -this directive is ignored. This directive is ignored when using Mozilla NSS. +Anonymous key exchanges should generally be avoided since they provide no +actual client or server authentication and provide no protection against +man-in-the-middle attacks. +You should append "!ADH" to your cipher suites to ensure that these suites +are not used. +When using Mozilla NSS these parameters are always generated randomly +so this directive is ignored. .TP .B TLSProtocolMin [.] Specifies minimum SSL/TLS protocol version that will be negotiated. -- 2.39.5