CVS commit: pkgsrc/databases

["Emmanuel Dreyfus" <manu%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   manu
Date:           Mon Sep 14 16:32:27 UTC 2015

Modified Files:
        pkgsrc/databases/openldap: distinfo
        pkgsrc/databases/openldap-client: Makefile
        pkgsrc/databases/openldap-server: Makefile
Added Files:
        pkgsrc/databases/openldap/patches: patch-its7595

Log Message:
Add support for ECDH, from upstream

After the recent logjam attack, longer DH parameter size have been advised.
Unfortunately, this comes with a high computational cost. ECDH is a good
alternative to acheive forward secrecy with lower CPU Loads.

This patch is a backport from upstream ECDH umplementation. ECDH is
enabled by speciying a curve name through the TLSECName directive.
Valid curve names can be obtaines by openssl ecparam -list_curves

Advised usage for a forward-secrecy only setup wiht only ECDH:
TLSCipherSuite EECDH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
TLSECName      prime256v1

If backward compatibility with older clients is required:
TLSCipherSuite EECDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
TLSECName      prime256v1

Backward compatible flavor with more forward secrecy, at
the expense of using costly DH. dh2048.pem is obtained using openssl
dhparam 2048 > /etc/openssl/certs/dh2048.pem
TLSCipherSuite EECDH:EDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
TLSDHParamFile /etc/openssl/certs/dh2048.pem
TLSECName      prime256v1


To generate a diff of this commit:
cvs rdiff -u -r1.101 -r1.102 pkgsrc/databases/openldap/distinfo
cvs rdiff -u -r1.20 -r1.21 pkgsrc/databases/openldap-client/Makefile
cvs rdiff -u -r1.44 -r1.45 pkgsrc/databases/openldap-server/Makefile
cvs rdiff -u -r0 -r1.1 pkgsrc/databases/openldap/patches/patch-its7595

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.