Hi Vadim, I only use ldapd in a local context but I'll have a look tomorrow and come up with a diff for that.
Thanks, Gilles On Sat, Jan 19, 2013 at 01:56:12PM +0100, Vadim Agarkov wrote: > Hello! > > Debian's (as well as Ubuntu's) openldap client is linked against > GnuTLS library in contrast to the OpenBSD one which is linked > against openssl library. Recent GnuTLS versions have more strict > settings - they won't allow dh params with 512 bits or less and > OpenBSD's ldapd daemon uses 512bits DH params. There is a function > "gnutls_dh_set_prime_bits" which overrides default GnuTLS settings, > but it looks like it is not supported by openldap client yet. > > Here are some links regarding GnuTLS problem: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196117 > > The "good" fix for this would be setting dh params with strong (more > than 512) bits on the ldapd server side, but it is not possible with > current version of ldapd: > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ldapd/ssl.c?rev=1.4;content-type=text%2Fplain > > there is a hardcoded 512bit DH value as you can see. And it would be > nice if there was an option to set dh params like it is in OpenSMTPd > (or at least set default bits for DH to be 1024 - as it is now in > the same said OpenSMTPd): > > http://www.opensmtpd.org/smtpd.conf.5.html > > "Host certificates may be used for these connections, and are > searched for in the /etc/mail/certs directory. If certificate is > specified, a certificate <name>.crt, a key <name>.key, a certificate > authority <name>.ca and Diffie-Hellman parameters <name>.dh are > searched for. If no certificate is specified, the default interface > name is instead used, for example fxp0.crt, fxp0.key, fxp0.ca, and > fxp0.dh. If no DH parameters are provided, smtpd will use built-in > parameters. Creation of certificates is documented in starttls(8)." > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl.c?rev=1.51;content-type=text%2Fplain > > > And as for now, the real workaround, that I see, is either to allow > insecure ldap connections or use third-party tools like stunnel - it > has default dh params with long enough primes and also can be set to > use your custom dh params file. > > JFYI, you can check dh params returned by the server using > gnutls-cli utility. For example, the things should look like the > following for 2048bits DH params: > ===================================================== > $ gnutls-cli -s -p 636 ldap.your_cool_server.net > Resolving 'ldap.your_cool_server.net'... > Connecting to 'XXXXXXXXXXXXXX:636'... > > - Simple Client Mode: > > <click ctrl+d> > *** Starting TLS handshake > - Ephemeral Diffie-Hellman parameters > - Using prime: 2048 bits > - Secret key: 2047 bits > - Peer's public key: 2048 bits > - Certificate type: X.509 > - Got a certificate list of 1 certificates. > - Certificate[0] info: > ... > ===================================================== > > > Hope that sheds some light on this problem.. > > P.S. I CC'ed ldapd developers in order to have some hope this might > be fixed one day.. > > --- > thanks, > VA > > On 2011-01-21 19:21, Joel Carnat wrote: > >Hello, > > > >On a Ubuntu Linux 8.04 machine, I can't query my OpenBSD 4.9 > >ldapd(8). > >It works from the local OpenBSD and from a remote NetBSD server. > >All machines have the CA file installed in the OpenSSL directory > >and the ldap.conf file configured to use that particular CA file. > > > >Here's what I get on the Linux box: > >$ ldapsearch -d 1 -x -H ldaps://ldap.tumfatig.net -D > >"cn=email,dc=tumfatig,dc=net" \ > >-W -b "ou=users,dc=tumfatig,dc=net" mail=j...@carnat.net > >ldap_url_parse_ext(ldaps://ldap.tumfatig.net) > >ldap_create > >ldap_url_parse_ext(ldaps://ldap.tumfatig.net:636/??base) > >Enter LDAP Password: > >ldap_sasl_bind > >ldap_send_initial_request > >ldap_new_connection 1 1 0 > >ldap_int_open_connection > >ldap_connect_to_host: TCP ldap.tumfatig.net:636 > >ldap_new_socket: 3 > >ldap_prepare_socket: 3 > >ldap_connect_to_host: Trying 10.0.0.50:636 > >ldap_pvt_connect: fd: 3 tm: -1 async: 0 > >TLS: can't connect: The Diffie Hellman prime sent by the server is > >not acceptable \ > >(not long enough).. > >ldap_err2string > >ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > >Not sure if that matters, but the OpenBSD's openssl.cnf (which was > >used to generate > >and sign the CA and certificate files) contains: > >default_bits = 4096 > > > >Is there a way to tell ldapd(8) to use a bigger DH value ? > > > >TIA, > > Jo > -- Gilles Chehade https://www.poolp.org @poolpOrg
