[Touch-packages] [Bug 1724285] Re: Diffie Hellman parameter created with paramter "-dsaparam" stopped working with slapd

2017-12-18 Thread Launchpad Bug Tracker 
[Expired for openldap (Ubuntu) because there has been no activity for 60
days.]

** Changed in: openldap (Ubuntu)
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1724285

Title:
  Diffie Hellman parameter created with paramter "-dsaparam" stopped
  working with slapd

Status in openldap package in Ubuntu:
  Expired

Bug description:
  If the dh parameter is created with openssl and the '-dsaparam' parameter is 
  set the resulting diffi hellman paramter can not be added to the openldap 
server.
  If a existing dhparam is replaced with one which is create with '-dsaparam'
  slapd wont start anymore.

  From the openssl manpage:
   -dsaparam
  If this option is used, DSA rather than DH parameters are read or 
created; they are converted to DH format. Otherwise, "strong" primes (such that 
(p-1)/2 is also prime) will be used for DH parameter generation. DH parameter 
generation with the -dsaparam option is much faster, and the recommended 
exponent length is shorter, which makes DH key exchange more efficient. Beware 
that with such DSA-style DH parameters, a fresh DH key should be created for 
each use to avoid small-subgroup attacks that may be possible otherwise. 

  
  # Works with openldap 2.4.44+dfsg-3ubuntu2.1 and 2.4.45+dfsg-1ubuntu1
  openssl dhparam -outform PEM -out dhparam.pem 2048

  # Works only with 2.4.44+dfsg-3ubuntu2.1
  openssl dhparam -dsaparam -outform PEM -out dhparam.pem 2048

  
  Adding to ldap:
  dn: cn=config
  changetype: modify
  replace: olcTLSDHParamFile
  olcTLSDHParamFile: /etc/ldap/ssl/dhparam.pem

  Error message from ldap server:
  ldap_modify: Other (e.g., implementation specific) error (80)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1724285/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1724285] Re: Diffie Hellman parameter created with paramter "-dsaparam" stopped working with slapd

2017-10-19 Thread Thorsten Seeger 
Hi Joshua,

the problem exists since ubuntu17.10. (slapd-2.4.45+dfsg-1ubuntu1). Dhparam 
created with openssl without the '-dsaparam' work fine.
 
Here is a full log take while trying to add the dhparam with '-dsaparam'.

Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on:
Okt 19 09:34:55 dc01 slapd[7928]:
Okt 19 09:34:55 dc01 slapd[7928]: slap_listener_activate(10):
Okt 19 09:34:55 dc01 slapd[7928]: >>> slap_listener(ldapi:///)
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=0 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=0 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 busy
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=0 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=0 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on:
Okt 19 09:34:55 dc01 slapd[7928]:
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=0 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=0 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=0 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=0 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=0 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: listen=10, new connection on 14
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on:
Okt 19 09:34:55 dc01 slapd[7928]:  14r
Okt 19 09:34:55 dc01 slapd[7928]:
Okt 19 09:34:55 dc01 slapd[7928]: daemon: read active on 14
Okt 19 09:34:55 dc01 slapd[7928]: daemon: added 14r (active) listener=(nil)
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: connection_get(14)
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on:
Okt 19 09:34:55 dc01 slapd[7928]:
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 
tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: connection_get(14): got connid=
Okt 19 09:34:55 dc01 slapd[7928]: connection_read(14): checking for input on 
id=
Okt 19 09:34:55 dc01 slapd[7928]: op tag 0x60, time 1508398495
Okt 19 09:34:55 dc01 slapd[7928]: conn= op=0 do_bind
Okt 19 09:34:55 dc01 slapd[7928]: >>> dnPrettyNormal: <>
Okt 19 09:34:55 dc01 slapd[7928]: <<< dnPrettyNormal: <>, <>
Okt 19 09:34:55 dc01 slapd[7928]: conn= op=0 BIND dn="" method=163
Okt 19 09:34:55 dc01 slapd[7928]: do_bind: dn () SASL mech EXTERNAL
Okt 19 09:34:55 dc01 slapd[7928]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
Okt 19 09:34:55 dc01 slapd[7928]: SASL Canonicalize [conn=]: 
authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
Okt 19 09:34:55 dc01 slapd[7928]: slap_sasl_getdn: conn  
id=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [len=55]
Okt 19 09:34:55 dc01 slapd[7928]: ==>slap_sasl2dn: converting SASL name 
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN
Okt 19 09:34:55 dc01 slapd[7928]: <==slap_sasl2dn: Converted SASL name to 

Okt 19 09:34:55 dc01 slapd[7928]: SASL Canonicalize [conn=]: 
slapAuthcDN="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
Okt 19 09:34:55 dc01 slapd[7928]: SASL proxy authorize [conn=]: 
authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 
authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
Okt 19 09:34:55 dc01 slapd[7928]: conn= op=0 BIND 
authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 
authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
Okt 19 09:34:55 dc01 slapd[7928]: SASL Authorize [conn=]:  proxy 
authorization allowed authzDN=""
Okt 19 09:34:55 dc01 slapd[7928]: send_ldap_sasl: err=0 len=-1
Okt 19 09:34:55 dc01 slapd[7928]: conn= op=0 BIND 
dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL 
sasl_ssf=0 ssf=71
Okt 19 09:34:55 dc01 slapd[7928]: do_bind: SASL/EXTERNAL bind: 
dn="gidNumber=0+uidNumber=0,cn=peercred,cn=e

[Touch-packages] [Bug 1724285] Re: Diffie Hellman parameter created with paramter "-dsaparam" stopped working with slapd

2017-10-18 Thread Joshua Powers 
Hi! Thanks for taking the time to file a bug.

Were there any additional log messages from ldap that specify additional
details to the cause of the failure that would help triage why ldap is
not happy about that option suddenly?

** Changed in: openldap (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1724285

Title:
  Diffie Hellman parameter created with paramter "-dsaparam" stopped
  working with slapd

Status in openldap package in Ubuntu:
  Incomplete

Bug description:
  If the dh parameter is created with openssl and the '-dsaparam' parameter is 
  set the resulting diffi hellman paramter can not be added to the openldap 
server.
  If a existing dhparam is replaced with one which is create with '-dsaparam'
  slapd wont start anymore.

  From the openssl manpage:
   -dsaparam
  If this option is used, DSA rather than DH parameters are read or 
created; they are converted to DH format. Otherwise, "strong" primes (such that 
(p-1)/2 is also prime) will be used for DH parameter generation. DH parameter 
generation with the -dsaparam option is much faster, and the recommended 
exponent length is shorter, which makes DH key exchange more efficient. Beware 
that with such DSA-style DH parameters, a fresh DH key should be created for 
each use to avoid small-subgroup attacks that may be possible otherwise. 

  
  # Works with openldap 2.4.44+dfsg-3ubuntu2.1 and 2.4.45+dfsg-1ubuntu1
  openssl dhparam -outform PEM -out dhparam.pem 2048

  # Works only with 2.4.44+dfsg-3ubuntu2.1
  openssl dhparam -dsaparam -outform PEM -out dhparam.pem 2048

  
  Adding to ldap:
  dn: cn=config
  changetype: modify
  replace: olcTLSDHParamFile
  olcTLSDHParamFile: /etc/ldap/ssl/dhparam.pem

  Error message from ldap server:
  ldap_modify: Other (e.g., implementation specific) error (80)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1724285/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp