Ubuntu
openldap package

Diffie Hellman parameter created with paramter "-dsaparam" stopped working with slapd

Bug #1724285 reported by Thorsten Seeger
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

If the dh parameter is created with openssl and the '-dsaparam' parameter is
set the resulting diffi hellman paramter can not be added to the openldap server.
If a existing dhparam is replaced with one which is create with '-dsaparam'
slapd wont start anymore.

From the openssl manpage:
 -dsaparam
    If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, "strong" primes (such that (p-1)/2 is also prime) will be used for DH parameter generation. DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise.

# Works with openldap 2.4.44+dfsg-3ubuntu2.1 and 2.4.45+dfsg-1ubuntu1
openssl dhparam -outform PEM -out dhparam.pem 2048

# Works only with 2.4.44+dfsg-3ubuntu2.1
openssl dhparam -dsaparam -outform PEM -out dhparam.pem 2048

Adding to ldap:
dn: cn=config
changetype: modify
replace: olcTLSDHParamFile
olcTLSDHParamFile: /etc/ldap/ssl/dhparam.pem

Error message from ldap server:
ldap_modify: Other (e.g., implementation specific) error (80)

Thorsten Seeger (thseeger)
Changed in openldap (Ubuntu):
assignee: nobody → Thorsten Seeger (thseeger)
assignee: Thorsten Seeger (thseeger) → nobody
tags: added: dsaparam openldap openssl slapd
Revision history for this message
Joshua Powers (powersj) wrote :

Hi! Thanks for taking the time to file a bug.

Were there any additional log messages from ldap that specify additional details to the cause of the failure that would help triage why ldap is not happy about that option suddenly?

Changed in openldap (Ubuntu):
status: New → Incomplete
Revision history for this message
Thorsten Seeger (thseeger) wrote :
Download full text (15.5 KiB)

Hi Joshua,

the problem exists since ubuntu17.10. (slapd-2.4.45+dfsg-1ubuntu1). Dhparam created with openssl without the '-dsaparam' work fine.

Here is a full log take while trying to add the dhparam with '-dsaparam'.

Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on:
Okt 19 09:34:55 dc01 slapd[7928]:
Okt 19 09:34:55 dc01 slapd[7928]: slap_listener_activate(10):
Okt 19 09:34:55 dc01 slapd[7928]: >>> slap_listener(ldapi:///)
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 busy
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on:
Okt 19 09:34:55 dc01 slapd[7928]:
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=0 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=0 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=0 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: listen=10, new connection on 14
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on:
Okt 19 09:34:55 dc01 slapd[7928]: 14r
Okt 19 09:34:55 dc01 slapd[7928]:
Okt 19 09:34:55 dc01 slapd[7928]: daemon: read active on 14
Okt 19 09:34:55 dc01 slapd[7928]: daemon: added 14r (active) listener=(nil)
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: connection_get(14)
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on:
Okt 19 09:34:55 dc01 slapd[7928]:
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 tvp=zero
Okt 19 09:34:55 dc01 slapd[7928]: connection_get(14): got connid=1111
Okt 19 09:34:55 dc01 slapd[7928]: connection_read(14): checking for input on id=1111
Okt 19 09:34:55 dc01 slapd[7928]: op tag 0x60, time 1508398495
Okt 19 09:34:55 dc01 slapd[7928]: conn=...

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openldap (Ubuntu) because there has been no activity for 60 days.]

Changed in openldap (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.