enterprise-support team mailing list archive

[Thorsten Seeger <1724285@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

If the dh parameter is created with openssl and the '-dsaparam' parameter is 
set the resulting diffi hellman paramter can not be added to the openldap server.
If a existing dhparam is replaced with one which is create with '-dsaparam'
slapd wont start anymore.

>From the openssl manpage:
 -dsaparam
    If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, "strong" primes (such that (p-1)/2 is also prime) will be used for DH parameter generation. DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise. 


# Works with openldap 2.4.44+dfsg-3ubuntu2.1 and 2.4.45+dfsg-1ubuntu1
openssl dhparam -outform PEM -out dhparam.pem 2048

# Works only with 2.4.44+dfsg-3ubuntu2.1
openssl dhparam -dsaparam -outform PEM -out dhparam.pem 2048


Adding to ldap:
dn: cn=config
changetype: modify
replace: olcTLSDHParamFile
olcTLSDHParamFile: /etc/ldap/ssl/dhparam.pem

Error message from ldap server:
ldap_modify: Other (e.g., implementation specific) error (80)

** Affects: openldap (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: dsaparam openldap openssl slapd

** Tags added: dsaparam openldap openssl slapd

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to openldap in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1724285

Title:
  Diffie Hellman parameter created with paramter "-dsaparam" stopped
  working with slapd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1724285/+subscriptions