guys, no feedback on the diff I sent :/
On Sun, Jan 20, 2013 at 12:31:41PM +0100, Gilles Chehade wrote: > Hi Vadim, > > I only use ldapd in a local context but I'll have a look tomorrow and > come up with a diff for that. > > Thanks, > Gilles > > > On Sat, Jan 19, 2013 at 01:56:12PM +0100, Vadim Agarkov wrote: > > Hello! > > > > Debian's (as well as Ubuntu's) openldap client is linked against > > GnuTLS library in contrast to the OpenBSD one which is linked > > against openssl library. Recent GnuTLS versions have more strict > > settings - they won't allow dh params with 512 bits or less and > > OpenBSD's ldapd daemon uses 512bits DH params. There is a function > > "gnutls_dh_set_prime_bits" which overrides default GnuTLS settings, > > but it looks like it is not supported by openldap client yet. > > > > Here are some links regarding GnuTLS problem: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344 > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196117 > > > > The "good" fix for this would be setting dh params with strong (more > > than 512) bits on the ldapd server side, but it is not possible with > > current version of ldapd: > > > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ldapd/ssl.c?rev=1.4;content-type=text%2Fplain > > > > there is a hardcoded 512bit DH value as you can see. And it would be > > nice if there was an option to set dh params like it is in OpenSMTPd > > (or at least set default bits for DH to be 1024 - as it is now in > > the same said OpenSMTPd): > > > > http://www.opensmtpd.org/smtpd.conf.5.html > > > > "Host certificates may be used for these connections, and are > > searched for in the /etc/mail/certs directory. If certificate is > > specified, a certificate <name>.crt, a key <name>.key, a certificate > > authority <name>.ca and Diffie-Hellman parameters <name>.dh are > > searched for. If no certificate is specified, the default interface > > name is instead used, for example fxp0.crt, fxp0.key, fxp0.ca, and > > fxp0.dh. If no DH parameters are provided, smtpd will use built-in > > parameters. Creation of certificates is documented in starttls(8)." > > > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl.c?rev=1.51;content-type=text%2Fplain > > > > > > And as for now, the real workaround, that I see, is either to allow > > insecure ldap connections or use third-party tools like stunnel - it > > has default dh params with long enough primes and also can be set to > > use your custom dh params file. > > > > JFYI, you can check dh params returned by the server using > > gnutls-cli utility. For example, the things should look like the > > following for 2048bits DH params: > > ===================================================== > > $ gnutls-cli -s -p 636 ldap.your_cool_server.net > > Resolving 'ldap.your_cool_server.net'... > > Connecting to 'XXXXXXXXXXXXXX:636'... > > > > - Simple Client Mode: > > > > <click ctrl+d> > > *** Starting TLS handshake > > - Ephemeral Diffie-Hellman parameters > > - Using prime: 2048 bits > > - Secret key: 2047 bits > > - Peer's public key: 2048 bits > > - Certificate type: X.509 > > - Got a certificate list of 1 certificates. > > - Certificate[0] info: > > ... > > ===================================================== > > > > > > Hope that sheds some light on this problem.. > > > > P.S. I CC'ed ldapd developers in order to have some hope this might > > be fixed one day.. > > > > --- > > thanks, > > VA > > > > On 2011-01-21 19:21, Joel Carnat wrote: > > >Hello, > > > > > >On a Ubuntu Linux 8.04 machine, I can't query my OpenBSD 4.9 > > >ldapd(8). > > >It works from the local OpenBSD and from a remote NetBSD server. > > >All machines have the CA file installed in the OpenSSL directory > > >and the ldap.conf file configured to use that particular CA file. > > > > > >Here's what I get on the Linux box: > > >$ ldapsearch -d 1 -x -H ldaps://ldap.tumfatig.net -D > > >"cn=email,dc=tumfatig,dc=net" \ > > >-W -b "ou=users,dc=tumfatig,dc=net" mail=j...@carnat.net > > >ldap_url_parse_ext(ldaps://ldap.tumfatig.net) > > >ldap_create > > >ldap_url_parse_ext(ldaps://ldap.tumfatig.net:636/??base) > > >Enter LDAP Password: > > >ldap_sasl_bind > > >ldap_send_initial_request > > >ldap_new_connection 1 1 0 > > >ldap_int_open_connection > > >ldap_connect_to_host: TCP ldap.tumfatig.net:636 > > >ldap_new_socket: 3 > > >ldap_prepare_socket: 3 > > >ldap_connect_to_host: Trying 10.0.0.50:636 > > >ldap_pvt_connect: fd: 3 tm: -1 async: 0 > > >TLS: can't connect: The Diffie Hellman prime sent by the server is > > >not acceptable \ > > >(not long enough).. > > >ldap_err2string > > >ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > > > >Not sure if that matters, but the OpenBSD's openssl.cnf (which was > > >used to generate > > >and sign the CA and certificate files) contains: > > >default_bits = 4096 > > > > > >Is there a way to tell ldapd(8) to use a bigger DH value ? > > > > > >TIA, > > > Jo > > > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg > -- Gilles Chehade https://www.poolp.org @poolpOrg
