Built on source tree from 5.2: it works! Gotta switch back to SSL :)) Thank you.
Jo Le 28 janv. 2013 à 12:31, Gilles Chehade <gil...@poolp.org> a écrit : > On Mon, Jan 28, 2013 at 12:28:58PM +0100, Joel Carnat wrote: >> Hi, >> >> I wasn't aware of any diffs. >> >> With time, the OpenBSD (ldapd server) was upgraded to 5.2 and the Linux >> client is now Debian 6.0.6. >> So far, the issue is still there. >> >> Best regards. >> > > Diff below should fix your issue. > > It was okayed by martinh@ but I'd like report that it works for you and > eventually another ok ;-) > > Index: ssl.c > =================================================================== > RCS file: /cvs/src/usr.sbin/ldapd/ssl.c,v > retrieving revision 1.4 > diff -u -p -r1.4 ssl.c > --- ssl.c 1 Jul 2010 02:19:11 -0000 1.4 > +++ ssl.c 21 Jan 2013 10:51:45 -0000 > @@ -50,37 +50,12 @@ void ssl_read(int, short, void *); > void ssl_write(int, short, void *); > int ssl_bufferevent_add(struct event *, int); > > -DH *get_dh512(void); > -void ssl_set_ephemeral_key_exchange(SSL_CTX *); > +DH *get_dh1024(void); > +void ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *); > > extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t, > size_t, void *); > > -/* From OpenSSL's documentation: > - * > - * If "strong" primes were used to generate the DH parameters, it is > - * not strictly necessary to generate a new key for each handshake > - * but it does improve forward secrecy. > - * > - * These are the parameters used by both sendmail and openssl's > - * s_server. > - * > - * -- gilles@ > - */ > - > -unsigned char dh512_p[] = { > - 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, > - 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, > - 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, > - 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, > - 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, > - 0x47,0x74,0xE8,0x33, > -}; > - > -unsigned char dh512_g[] = { > - 0x02, > -}; > - > void > ssl_read(int fd, short event, void *p) > { > @@ -409,7 +384,7 @@ ssl_setup(struct ldapd_config *env, stru > (const unsigned char *)l->ssl_cert_name, > strlen(l->ssl_cert_name) + 1)) > goto err; > > - ssl_set_ephemeral_key_exchange(l->ssl_ctx); > + ssl_set_ephemeral_key_exchange(l->ssl_ctx, get_dh1024()); > > log_debug("ssl_setup: ssl setup finished for listener: %p", l); > return; > @@ -535,29 +510,56 @@ ssl_session_destroy(struct conn *s) > SSL_free(s->s_ssl); > } > > +/* From OpenSSL's documentation: > + * > + * If "strong" primes were used to generate the DH parameters, it is > + * not strictly necessary to generate a new key for each handshake > + * but it does improve forward secrecy. > + * > + * -- gilles@ > + */ > DH * > -get_dh512(void) > +get_dh1024(void) > { > - DH *dh; > + DH *dh; > + unsigned char dh1024_p[] = { > + 0xAD,0x37,0xBB,0x26,0x75,0x01,0x27,0x75, > + 0x06,0xB5,0xE7,0x1E,0x1F,0x2B,0xBC,0x51, > + 0xC0,0xF4,0xEB,0x42,0x7A,0x2A,0x83,0x1E, > + 0xE8,0xD1,0xD8,0xCC,0x9E,0xE6,0x15,0x1D, > + 0x06,0x46,0x50,0x94,0xB9,0xEE,0xB6,0x89, > + 0xB7,0x3C,0xAC,0x07,0x5E,0x29,0x37,0xCC, > + 0x8F,0xDF,0x48,0x56,0x85,0x83,0x26,0x02, > + 0xB8,0xB6,0x63,0xAF,0x2D,0x4A,0x57,0x93, > + 0x6B,0x54,0xE1,0x8F,0x28,0x76,0x9C,0x5D, > + 0x90,0x65,0xD1,0x07,0xFE,0x5B,0x05,0x65, > + 0xDA,0xD2,0xE2,0xAF,0x23,0xCA,0x2F,0xD6, > + 0x4B,0xD2,0x04,0xFE,0xDF,0x21,0x2A,0xE1, > + 0xCD,0x1B,0x70,0x76,0xB3,0x51,0xA4,0xC9, > + 0x2B,0x68,0xE3,0xDD,0xCB,0x97,0xDA,0x59, > + 0x50,0x93,0xEE,0xDB,0xBF,0xC7,0xFA,0xA7, > + 0x47,0xC4,0x4D,0xF0,0xC6,0x09,0x4A,0x4B > + }; > + unsigned char dh1024_g[] = { > + 0x02 > + }; > > - if ((dh = DH_new()) == NULL) > + if ((dh = DH_new()) == NULL) > return NULL; > > - dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); > - dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); > - if (dh->p == NULL || dh->g == NULL) > - return NULL; > + dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); > + dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); > + if (dh->p == NULL || dh->g == NULL) { > + DH_free(dh); > + return NULL; > + } > > - return dh; > + return dh; > } > > - > void > -ssl_set_ephemeral_key_exchange(SSL_CTX *ctx) > +ssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh) > { > - DH *dh; > - > - dh = get_dh512(); > - if (dh != NULL) > - SSL_CTX_set_tmp_dh(ctx, dh); > + if (dh == NULL || !SSL_CTX_set_tmp_dh(ctx, dh)) > + fatal("ssl_set_ephemeral_key_exchange: cannot set tmp dh"); > } > > > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg