Diffie Hellman parameter created with paramter "-dsaparam" stopped working with slapd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
If the dh parameter is created with openssl and the '-dsaparam' parameter is
set the resulting diffi hellman paramter can not be added to the openldap server.
If a existing dhparam is replaced with one which is create with '-dsaparam'
slapd wont start anymore.
From the openssl manpage:
-dsaparam
If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, "strong" primes (such that (p-1)/2 is also prime) will be used for DH parameter generation. DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise.
# Works with openldap 2.4.44+
openssl dhparam -outform PEM -out dhparam.pem 2048
# Works only with 2.4.44+
openssl dhparam -dsaparam -outform PEM -out dhparam.pem 2048
Adding to ldap:
dn: cn=config
changetype: modify
replace: olcTLSDHParamFile
olcTLSDHParamFile: /etc/ldap/
Error message from ldap server:
ldap_modify: Other (e.g., implementation specific) error (80)
Changed in openldap (Ubuntu): | |
assignee: | nobody → Thorsten Seeger (thseeger) |
assignee: | Thorsten Seeger (thseeger) → nobody |
tags: | added: dsaparam openldap openssl slapd |
Hi! Thanks for taking the time to file a bug.
Were there any additional log messages from ldap that specify additional details to the cause of the failure that would help triage why ldap is not happy about that option suddenly?