pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: pkgsrc/databases



This was ok gdt@ for pkgsrc-pmc, since we're in a freeze.
Please mention this in commit messages, thank you!
 Thomas


On Mon, Sep 14, 2015 at 04:32:27PM +0000, Emmanuel Dreyfus wrote:
> Module Name:  pkgsrc
> Committed By: manu
> Date:         Mon Sep 14 16:32:27 UTC 2015
> 
> Modified Files:
>       pkgsrc/databases/openldap: distinfo
>       pkgsrc/databases/openldap-client: Makefile
>       pkgsrc/databases/openldap-server: Makefile
> Added Files:
>       pkgsrc/databases/openldap/patches: patch-its7595
> 
> Log Message:
> Add support for ECDH, from upstream
> 
> After the recent logjam attack, longer DH parameter size have been advised.
> Unfortunately, this comes with a high computational cost. ECDH is a good
> alternative to acheive forward secrecy with lower CPU Loads.
> 
> This patch is a backport from upstream ECDH umplementation. ECDH is
> enabled by speciying a curve name through the TLSECName directive.
> Valid curve names can be obtaines by openssl ecparam -list_curves
> 
> Advised usage for a forward-secrecy only setup wiht only ECDH:
> TLSCipherSuite EECDH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
> TLSECName      prime256v1
> 
> If backward compatibility with older clients is required:
> TLSCipherSuite EECDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
> TLSECName      prime256v1
> 
> Backward compatible flavor with more forward secrecy, at
> the expense of using costly DH. dh2048.pem is obtained using openssl
> dhparam 2048 > /etc/openssl/certs/dh2048.pem
> TLSCipherSuite EECDH:EDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
> TLSDHParamFile /etc/openssl/certs/dh2048.pem
> TLSECName      prime256v1
> 
> 
> To generate a diff of this commit:
> cvs rdiff -u -r1.101 -r1.102 pkgsrc/databases/openldap/distinfo
> cvs rdiff -u -r1.20 -r1.21 pkgsrc/databases/openldap-client/Makefile
> cvs rdiff -u -r1.44 -r1.45 pkgsrc/databases/openldap-server/Makefile
> cvs rdiff -u -r0 -r1.1 pkgsrc/databases/openldap/patches/patch-its7595
> 
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
> 



Home | Main Index | Thread Index | Old Index