[Touch-packages] [Bug 1724285] Re: Diffie Hellman parameter created with paramter "-dsaparam" stopped working with slapd

Wed, 18 Oct 2017 10:02:25 -0700 

Hi! Thanks for taking the time to file a bug.

Were there any additional log messages from ldap that specify additional
details to the cause of the failure that would help triage why ldap is
not happy about that option suddenly?

** Changed in: openldap (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1724285

Title:
  Diffie Hellman parameter created with paramter "-dsaparam" stopped
  working with slapd

Status in openldap package in Ubuntu:
  Incomplete

Bug description:
  If the dh parameter is created with openssl and the '-dsaparam' parameter is 
  set the resulting diffi hellman paramter can not be added to the openldap 
server.
  If a existing dhparam is replaced with one which is create with '-dsaparam'
  slapd wont start anymore.

  From the openssl manpage:
   -dsaparam
      If this option is used, DSA rather than DH parameters are read or 
created; they are converted to DH format. Otherwise, "strong" primes (such that 
(p-1)/2 is also prime) will be used for DH parameter generation. DH parameter 
generation with the -dsaparam option is much faster, and the recommended 
exponent length is shorter, which makes DH key exchange more efficient. Beware 
that with such DSA-style DH parameters, a fresh DH key should be created for 
each use to avoid small-subgroup attacks that may be possible otherwise. 

  
  # Works with openldap 2.4.44+dfsg-3ubuntu2.1 and 2.4.45+dfsg-1ubuntu1
  openssl dhparam -outform PEM -out dhparam.pem 2048

  # Works only with 2.4.44+dfsg-3ubuntu2.1
  openssl dhparam -dsaparam -outform PEM -out dhparam.pem 2048

  
  Adding to ldap:
  dn: cn=config
  changetype: modify
  replace: olcTLSDHParamFile
  olcTLSDHParamFile: /etc/ldap/ssl/dhparam.pem

  Error message from ldap server:
  ldap_modify: Other (e.g., implementation specific) error (80)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1724285/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to