From cb7434eb4736062e65bc148a0c9c86c7b4e08d08 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sat, 7 Sep 2013 06:50:30 -0700 Subject: [PATCH] ITS#7506 more doc updates --- doc/man/man5/slapd-config.5 | 13 ++++++++----- doc/man/man5/slapd.conf.5 | 15 +++++++++------ 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index ad1ccad277..dce7beeb7a 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -910,12 +910,15 @@ browser. Press 'Enter' for the new password. .B olcTLSDHParamFile: This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable +the server, or an RSA certificate missing the "key encipherment" key usage. +Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly +Anonymous key exchanges should generally be avoided since they provide no +actual client or server authentication and provide no protection against +man-in-the-middle attacks. +You should append "!ADH" to your cipher suites to ensure that these suites +are not used. +When using Mozilla NSS these parameters are always generated randomly so this directive is ignored. .TP .B olcTLSProtocolMin: [.] diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 0f100bbdb4..0280ab7485 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1141,13 +1141,16 @@ browser. Press 'Enter' for the new password. .B TLSDHParamFile This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable +the server, or an RSA certificate missing the "key encipherment" key usage. +Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS these parameters are always generated randomly so -this directive is ignored. This directive is ignored when using Mozilla NSS. +Anonymous key exchanges should generally be avoided since they provide no +actual client or server authentication and provide no protection against +man-in-the-middle attacks. +You should append "!ADH" to your cipher suites to ensure that these suites +are not used. +When using Mozilla NSS these parameters are always generated randomly +so this directive is ignored. .TP .B TLSProtocolMin [.] Specifies minimum SSL/TLS protocol version that will be negotiated. -- 2.39.5