Hi, I wasn't aware of any diffs.
With time, the OpenBSD (ldapd server) was upgraded to 5.2 and the Linux client is now Debian 6.0.6. So far, the issue is still there. Best regards. Le 28 janv. 2013 à 11:47, Gilles Chehade <gil...@poolp.org> a écrit : > guys, > > no feedback on the diff I sent :/ > > On Sun, Jan 20, 2013 at 12:31:41PM +0100, Gilles Chehade wrote: >> Hi Vadim, >> >> I only use ldapd in a local context but I'll have a look tomorrow and >> come up with a diff for that. >> >> Thanks, >> Gilles >> >> >> On Sat, Jan 19, 2013 at 01:56:12PM +0100, Vadim Agarkov wrote: >>> Hello! >>> >>> Debian's (as well as Ubuntu's) openldap client is linked against >>> GnuTLS library in contrast to the OpenBSD one which is linked >>> against openssl library. Recent GnuTLS versions have more strict >>> settings - they won't allow dh params with 512 bits or less and >>> OpenBSD's ldapd daemon uses 512bits DH params. There is a function >>> "gnutls_dh_set_prime_bits" which overrides default GnuTLS settings, >>> but it looks like it is not supported by openldap client yet. >>> >>> Here are some links regarding GnuTLS problem: >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344 >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196117 >>> >>> The "good" fix for this would be setting dh params with strong (more >>> than 512) bits on the ldapd server side, but it is not possible with >>> current version of ldapd: >>> >>> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ldapd/ssl.c?rev=1.4;content-type=text%2Fplain >>> >>> there is a hardcoded 512bit DH value as you can see. And it would be >>> nice if there was an option to set dh params like it is in OpenSMTPd >>> (or at least set default bits for DH to be 1024 - as it is now in >>> the same said OpenSMTPd): >>> >>> http://www.opensmtpd.org/smtpd.conf.5.html >>> >>> "Host certificates may be used for these connections, and are >>> searched for in the /etc/mail/certs directory. If certificate is >>> specified, a certificate <name>.crt, a key <name>.key, a certificate >>> authority <name>.ca and Diffie-Hellman parameters <name>.dh are >>> searched for. If no certificate is specified, the default interface >>> name is instead used, for example fxp0.crt, fxp0.key, fxp0.ca, and >>> fxp0.dh. If no DH parameters are provided, smtpd will use built-in >>> parameters. Creation of certificates is documented in starttls(8)." >>> >>> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl.c?rev=1.51;content-type=text%2Fplain >>> >>> >>> And as for now, the real workaround, that I see, is either to allow >>> insecure ldap connections or use third-party tools like stunnel - it >>> has default dh params with long enough primes and also can be set to >>> use your custom dh params file. >>> >>> JFYI, you can check dh params returned by the server using >>> gnutls-cli utility. For example, the things should look like the >>> following for 2048bits DH params: >>> ===================================================== >>> $ gnutls-cli -s -p 636 ldap.your_cool_server.net >>> Resolving 'ldap.your_cool_server.net'... >>> Connecting to 'XXXXXXXXXXXXXX:636'... >>> >>> - Simple Client Mode: >>> >>> <click ctrl+d> >>> *** Starting TLS handshake >>> - Ephemeral Diffie-Hellman parameters >>> - Using prime: 2048 bits >>> - Secret key: 2047 bits >>> - Peer's public key: 2048 bits >>> - Certificate type: X.509 >>> - Got a certificate list of 1 certificates. >>> - Certificate[0] info: >>> ... >>> ===================================================== >>> >>> >>> Hope that sheds some light on this problem.. >>> >>> P.S. I CC'ed ldapd developers in order to have some hope this might >>> be fixed one day.. >>> >>> --- >>> thanks, >>> VA >>> >>> On 2011-01-21 19:21, Joel Carnat wrote: >>>> Hello, >>>> >>>> On a Ubuntu Linux 8.04 machine, I can't query my OpenBSD 4.9 >>>> ldapd(8). >>>> It works from the local OpenBSD and from a remote NetBSD server. >>>> All machines have the CA file installed in the OpenSSL directory >>>> and the ldap.conf file configured to use that particular CA file. >>>> >>>> Here's what I get on the Linux box: >>>> $ ldapsearch -d 1 -x -H ldaps://ldap.tumfatig.net -D >>>> "cn=email,dc=tumfatig,dc=net" \ >>>> -W -b "ou=users,dc=tumfatig,dc=net" mail=j...@carnat.net >>>> ldap_url_parse_ext(ldaps://ldap.tumfatig.net) >>>> ldap_create >>>> ldap_url_parse_ext(ldaps://ldap.tumfatig.net:636/??base) >>>> Enter LDAP Password: >>>> ldap_sasl_bind >>>> ldap_send_initial_request >>>> ldap_new_connection 1 1 0 >>>> ldap_int_open_connection >>>> ldap_connect_to_host: TCP ldap.tumfatig.net:636 >>>> ldap_new_socket: 3 >>>> ldap_prepare_socket: 3 >>>> ldap_connect_to_host: Trying 10.0.0.50:636 >>>> ldap_pvt_connect: fd: 3 tm: -1 async: 0 >>>> TLS: can't connect: The Diffie Hellman prime sent by the server is >>>> not acceptable \ >>>> (not long enough).. >>>> ldap_err2string >>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >>>> >>>> Not sure if that matters, but the OpenBSD's openssl.cnf (which was >>>> used to generate >>>> and sign the CA and certificate files) contains: >>>> default_bits = 4096 >>>> >>>> Is there a way to tell ldapd(8) to use a bigger DH value ? >>>> >>>> TIA, >>>> Jo >>> >> >> -- >> Gilles Chehade >> >> https://www.poolp.org @poolpOrg >> > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg
