[Touch-packages] [Bug 1724285] Re: Diffie Hellman parameter created with paramter "-dsaparam" stopped working with slapd

Mon, 18 Dec 2017 20:26:45 -0800 

[Expired for openldap (Ubuntu) because there has been no activity for 60
days.]

** Changed in: openldap (Ubuntu)
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1724285

Title:
  Diffie Hellman parameter created with paramter "-dsaparam" stopped
  working with slapd

Status in openldap package in Ubuntu:
  Expired

Bug description:
  If the dh parameter is created with openssl and the '-dsaparam' parameter is 
  set the resulting diffi hellman paramter can not be added to the openldap 
server.
  If a existing dhparam is replaced with one which is create with '-dsaparam'
  slapd wont start anymore.

  From the openssl manpage:
   -dsaparam
      If this option is used, DSA rather than DH parameters are read or 
created; they are converted to DH format. Otherwise, "strong" primes (such that 
(p-1)/2 is also prime) will be used for DH parameter generation. DH parameter 
generation with the -dsaparam option is much faster, and the recommended 
exponent length is shorter, which makes DH key exchange more efficient. Beware 
that with such DSA-style DH parameters, a fresh DH key should be created for 
each use to avoid small-subgroup attacks that may be possible otherwise. 

  
  # Works with openldap 2.4.44+dfsg-3ubuntu2.1 and 2.4.45+dfsg-1ubuntu1
  openssl dhparam -outform PEM -out dhparam.pem 2048

  # Works only with 2.4.44+dfsg-3ubuntu2.1
  openssl dhparam -dsaparam -outform PEM -out dhparam.pem 2048

  
  Adding to ldap:
  dn: cn=config
  changetype: modify
  replace: olcTLSDHParamFile
  olcTLSDHParamFile: /etc/ldap/ssl/dhparam.pem

  Error message from ldap server:
  ldap_modify: Other (e.g., implementation specific) error (80)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1724285/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to