[Enterprise-support] [Bug 1724285] [NEW] Diffie Hellman parameter created with paramter "-dsaparam" stopped working with slapd

Thorsten Seeger Tue, 17 Oct 2017 09:47:09 -0700

Public bug reported:

If the dh parameter is created with openssl and the '-dsaparam' parameter is 
set the resulting diffi hellman paramter can not be added to the openldap 
server.
If a existing dhparam is replaced with one which is create with '-dsaparam'
slapd wont start anymore.


>From the openssl manpage:
 -dsaparam
    If this option is used, DSA rather than DH parameters are read or created; 
they are converted to DH format. Otherwise, "strong" primes (such that (p-1)/2 
is also prime) will be used for DH parameter generation. DH parameter 
generation with the -dsaparam option is much faster, and the recommended 
exponent length is shorter, which makes DH key exchange more efficient. Beware 
that with such DSA-style DH parameters, a fresh DH key should be created for 
each use to avoid small-subgroup attacks that may be possible otherwise. 


# Works with openldap 2.4.44+dfsg-3ubuntu2.1 and 2.4.45+dfsg-1ubuntu1
openssl dhparam -outform PEM -out dhparam.pem 2048

# Works only with 2.4.44+dfsg-3ubuntu2.1
openssl dhparam -dsaparam -outform PEM -out dhparam.pem 2048


Adding to ldap:
dn: cn=config
changetype: modify
replace: olcTLSDHParamFile
olcTLSDHParamFile: /etc/ldap/ssl/dhparam.pem

Error message from ldap server:
ldap_modify: Other (e.g., implementation specific) error (80)

** Affects: openldap (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: dsaparam openldap openssl slapd

** Tags added: dsaparam openldap openssl slapd

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to openldap in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1724285

Title:
  Diffie Hellman parameter created with paramter "-dsaparam" stopped
  working with slapd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1724285/+subscriptions

-- 
Mailing list: https://launchpad.net/~enterprise-support
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~enterprise-support
More help   : https://help.launchpad.net/ListHelp

[Enterprise-support] [Bug 1724285] [NEW] Diffie Hellman parameter created with paramter "-dsaparam" stopped working with slapd

Reply via email to