Re: ldapd and The Diffie Hellman prime sent by the server is not acceptable
guys, no feedback on the diff I sent :/ On Sun, Jan 20, 2013 at 12:31:41PM +0100, Gilles Chehade wrote: Hi Vadim, I only use ldapd in a local context but I'll have a look tomorrow and come up with a diff for that. Thanks, Gilles On Sat, Jan 19, 2013 at 01:56:12PM +0100, Vadim Agarkov wrote: Hello! Debian's (as well as Ubuntu's) openldap client is linked against GnuTLS library in contrast to the OpenBSD one which is linked against openssl library. Recent GnuTLS versions have more strict settings - they won't allow dh params with 512 bits or less and OpenBSD's ldapd daemon uses 512bits DH params. There is a function gnutls_dh_set_prime_bits which overrides default GnuTLS settings, but it looks like it is not supported by openldap client yet. Here are some links regarding GnuTLS problem: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196117 The good fix for this would be setting dh params with strong (more than 512) bits on the ldapd server side, but it is not possible with current version of ldapd: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ldapd/ssl.c?rev=1.4;content-type=text%2Fplain there is a hardcoded 512bit DH value as you can see. And it would be nice if there was an option to set dh params like it is in OpenSMTPd (or at least set default bits for DH to be 1024 - as it is now in the same said OpenSMTPd): http://www.opensmtpd.org/smtpd.conf.5.html Host certificates may be used for these connections, and are searched for in the /etc/mail/certs directory. If certificate is specified, a certificate name.crt, a key name.key, a certificate authority name.ca and Diffie-Hellman parameters name.dh are searched for. If no certificate is specified, the default interface name is instead used, for example fxp0.crt, fxp0.key, fxp0.ca, and fxp0.dh. If no DH parameters are provided, smtpd will use built-in parameters. Creation of certificates is documented in starttls(8). http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl.c?rev=1.51;content-type=text%2Fplain And as for now, the real workaround, that I see, is either to allow insecure ldap connections or use third-party tools like stunnel - it has default dh params with long enough primes and also can be set to use your custom dh params file. JFYI, you can check dh params returned by the server using gnutls-cli utility. For example, the things should look like the following for 2048bits DH params: = $ gnutls-cli -s -p 636 ldap.your_cool_server.net Resolving 'ldap.your_cool_server.net'... Connecting to 'XX:636'... - Simple Client Mode: click ctrl+d *** Starting TLS handshake - Ephemeral Diffie-Hellman parameters - Using prime: 2048 bits - Secret key: 2047 bits - Peer's public key: 2048 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: ... = Hope that sheds some light on this problem.. P.S. I CC'ed ldapd developers in order to have some hope this might be fixed one day.. --- thanks, VA On 2011-01-21 19:21, Joel Carnat wrote: Hello, On a Ubuntu Linux 8.04 machine, I can't query my OpenBSD 4.9 ldapd(8). It works from the local OpenBSD and from a remote NetBSD server. All machines have the CA file installed in the OpenSSL directory and the ldap.conf file configured to use that particular CA file. Here's what I get on the Linux box: $ ldapsearch -d 1 -x -H ldaps://ldap.tumfatig.net -D cn=email,dc=tumfatig,dc=net \ -W -b ou=users,dc=tumfatig,dc=net mail=j...@carnat.net ldap_url_parse_ext(ldaps://ldap.tumfatig.net) ldap_create ldap_url_parse_ext(ldaps://ldap.tumfatig.net:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.tumfatig.net:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.0.50:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: can't connect: The Diffie Hellman prime sent by the server is not acceptable \ (not long enough).. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Not sure if that matters, but the OpenBSD's openssl.cnf (which was used to generate and sign the CA and certificate files) contains: default_bits = 4096 Is there a way to tell ldapd(8) to use a bigger DH value ? TIA, Jo -- Gilles Chehade https://www.poolp.org @poolpOrg -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: ldapd and The Diffie Hellman prime sent by the server is not acceptable
Hi, I wasn't aware of any diffs. With time, the OpenBSD (ldapd server) was upgraded to 5.2 and the Linux client is now Debian 6.0.6. So far, the issue is still there. Best regards. Le 28 janv. 2013 à 11:47, Gilles Chehade gil...@poolp.org a écrit : guys, no feedback on the diff I sent :/ On Sun, Jan 20, 2013 at 12:31:41PM +0100, Gilles Chehade wrote: Hi Vadim, I only use ldapd in a local context but I'll have a look tomorrow and come up with a diff for that. Thanks, Gilles On Sat, Jan 19, 2013 at 01:56:12PM +0100, Vadim Agarkov wrote: Hello! Debian's (as well as Ubuntu's) openldap client is linked against GnuTLS library in contrast to the OpenBSD one which is linked against openssl library. Recent GnuTLS versions have more strict settings - they won't allow dh params with 512 bits or less and OpenBSD's ldapd daemon uses 512bits DH params. There is a function gnutls_dh_set_prime_bits which overrides default GnuTLS settings, but it looks like it is not supported by openldap client yet. Here are some links regarding GnuTLS problem: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196117 The good fix for this would be setting dh params with strong (more than 512) bits on the ldapd server side, but it is not possible with current version of ldapd: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ldapd/ssl.c?rev=1.4;content-type=text%2Fplain there is a hardcoded 512bit DH value as you can see. And it would be nice if there was an option to set dh params like it is in OpenSMTPd (or at least set default bits for DH to be 1024 - as it is now in the same said OpenSMTPd): http://www.opensmtpd.org/smtpd.conf.5.html Host certificates may be used for these connections, and are searched for in the /etc/mail/certs directory. If certificate is specified, a certificate name.crt, a key name.key, a certificate authority name.ca and Diffie-Hellman parameters name.dh are searched for. If no certificate is specified, the default interface name is instead used, for example fxp0.crt, fxp0.key, fxp0.ca, and fxp0.dh. If no DH parameters are provided, smtpd will use built-in parameters. Creation of certificates is documented in starttls(8). http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl.c?rev=1.51;content-type=text%2Fplain And as for now, the real workaround, that I see, is either to allow insecure ldap connections or use third-party tools like stunnel - it has default dh params with long enough primes and also can be set to use your custom dh params file. JFYI, you can check dh params returned by the server using gnutls-cli utility. For example, the things should look like the following for 2048bits DH params: = $ gnutls-cli -s -p 636 ldap.your_cool_server.net Resolving 'ldap.your_cool_server.net'... Connecting to 'XX:636'... - Simple Client Mode: click ctrl+d *** Starting TLS handshake - Ephemeral Diffie-Hellman parameters - Using prime: 2048 bits - Secret key: 2047 bits - Peer's public key: 2048 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: ... = Hope that sheds some light on this problem.. P.S. I CC'ed ldapd developers in order to have some hope this might be fixed one day.. --- thanks, VA On 2011-01-21 19:21, Joel Carnat wrote: Hello, On a Ubuntu Linux 8.04 machine, I can't query my OpenBSD 4.9 ldapd(8). It works from the local OpenBSD and from a remote NetBSD server. All machines have the CA file installed in the OpenSSL directory and the ldap.conf file configured to use that particular CA file. Here's what I get on the Linux box: $ ldapsearch -d 1 -x -H ldaps://ldap.tumfatig.net -D cn=email,dc=tumfatig,dc=net \ -W -b ou=users,dc=tumfatig,dc=net mail=j...@carnat.net ldap_url_parse_ext(ldaps://ldap.tumfatig.net) ldap_create ldap_url_parse_ext(ldaps://ldap.tumfatig.net:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.tumfatig.net:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.0.50:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: can't connect: The Diffie Hellman prime sent by the server is not acceptable \ (not long enough).. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Not sure if that matters, but the OpenBSD's openssl.cnf (which was used to generate and sign the CA and certificate files) contains: default_bits = 4096 Is there a way to tell ldapd(8) to use a bigger DH value ? TIA, Jo -- Gilles Chehade https://www.poolp.org @poolpOrg -- Gilles Chehade https://www.poolp.org
Re: ldapd and The Diffie Hellman prime sent by the server is not acceptable
On Mon, Jan 28, 2013 at 12:28:58PM +0100, Joel Carnat wrote: Hi, I wasn't aware of any diffs. With time, the OpenBSD (ldapd server) was upgraded to 5.2 and the Linux client is now Debian 6.0.6. So far, the issue is still there. Best regards. Diff below should fix your issue. It was okayed by martinh@ but I'd like report that it works for you and eventually another ok ;-) Index: ssl.c === RCS file: /cvs/src/usr.sbin/ldapd/ssl.c,v retrieving revision 1.4 diff -u -p -r1.4 ssl.c --- ssl.c 1 Jul 2010 02:19:11 - 1.4 +++ ssl.c 21 Jan 2013 10:51:45 - @@ -50,37 +50,12 @@ void ssl_read(int, short, void *); voidssl_write(int, short, void *); int ssl_bufferevent_add(struct event *, int); -DH *get_dh512(void); -voidssl_set_ephemeral_key_exchange(SSL_CTX *); +DH *get_dh1024(void); +voidssl_set_ephemeral_key_exchange(SSL_CTX *, DH *); extern voidbufferevent_read_pressure_cb(struct evbuffer *, size_t, size_t, void *); -/* From OpenSSL's documentation: - * - * If strong primes were used to generate the DH parameters, it is - * not strictly necessary to generate a new key for each handshake - * but it does improve forward secrecy. - * - * These are the parameters used by both sendmail and openssl's - * s_server. - * - * -- gilles@ - */ - -unsigned char dh512_p[] = { -0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, -0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, -0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, -0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, -0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, -0x47,0x74,0xE8,0x33, -}; - -unsigned char dh512_g[] = { -0x02, -}; - void ssl_read(int fd, short event, void *p) { @@ -409,7 +384,7 @@ ssl_setup(struct ldapd_config *env, stru (const unsigned char *)l-ssl_cert_name, strlen(l-ssl_cert_name) + 1)) goto err; - ssl_set_ephemeral_key_exchange(l-ssl_ctx); + ssl_set_ephemeral_key_exchange(l-ssl_ctx, get_dh1024()); log_debug(ssl_setup: ssl setup finished for listener: %p, l); return; @@ -535,29 +510,56 @@ ssl_session_destroy(struct conn *s) SSL_free(s-s_ssl); } +/* From OpenSSL's documentation: + * + * If strong primes were used to generate the DH parameters, it is + * not strictly necessary to generate a new key for each handshake + * but it does improve forward secrecy. + * + * -- gilles@ + */ DH * -get_dh512(void) +get_dh1024(void) { -DH *dh; + DH *dh; + unsigned char dh1024_p[] = { + 0xAD,0x37,0xBB,0x26,0x75,0x01,0x27,0x75, + 0x06,0xB5,0xE7,0x1E,0x1F,0x2B,0xBC,0x51, + 0xC0,0xF4,0xEB,0x42,0x7A,0x2A,0x83,0x1E, + 0xE8,0xD1,0xD8,0xCC,0x9E,0xE6,0x15,0x1D, + 0x06,0x46,0x50,0x94,0xB9,0xEE,0xB6,0x89, + 0xB7,0x3C,0xAC,0x07,0x5E,0x29,0x37,0xCC, + 0x8F,0xDF,0x48,0x56,0x85,0x83,0x26,0x02, + 0xB8,0xB6,0x63,0xAF,0x2D,0x4A,0x57,0x93, + 0x6B,0x54,0xE1,0x8F,0x28,0x76,0x9C,0x5D, + 0x90,0x65,0xD1,0x07,0xFE,0x5B,0x05,0x65, + 0xDA,0xD2,0xE2,0xAF,0x23,0xCA,0x2F,0xD6, + 0x4B,0xD2,0x04,0xFE,0xDF,0x21,0x2A,0xE1, + 0xCD,0x1B,0x70,0x76,0xB3,0x51,0xA4,0xC9, + 0x2B,0x68,0xE3,0xDD,0xCB,0x97,0xDA,0x59, + 0x50,0x93,0xEE,0xDB,0xBF,0xC7,0xFA,0xA7, + 0x47,0xC4,0x4D,0xF0,0xC6,0x09,0x4A,0x4B + }; + unsigned char dh1024_g[] = { + 0x02 + }; -if ((dh = DH_new()) == NULL) + if ((dh = DH_new()) == NULL) return NULL; -dh-p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); -dh-g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); -if (dh-p == NULL || dh-g == NULL) -return NULL; + dh-p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); + dh-g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); + if (dh-p == NULL || dh-g == NULL) { + DH_free(dh); + return NULL; + } -return dh; + return dh; } - void -ssl_set_ephemeral_key_exchange(SSL_CTX *ctx) +ssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh) { - DH *dh; - - dh = get_dh512(); - if (dh != NULL) - SSL_CTX_set_tmp_dh(ctx, dh); + if (dh == NULL || !SSL_CTX_set_tmp_dh(ctx, dh)) + fatal(ssl_set_ephemeral_key_exchange: cannot set tmp dh); } -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: ldapd and The Diffie Hellman prime sent by the server is not acceptable
Built on source tree from 5.2: it works! Gotta switch back to SSL :)) Thank you. Jo Le 28 janv. 2013 à 12:31, Gilles Chehade gil...@poolp.org a écrit : On Mon, Jan 28, 2013 at 12:28:58PM +0100, Joel Carnat wrote: Hi, I wasn't aware of any diffs. With time, the OpenBSD (ldapd server) was upgraded to 5.2 and the Linux client is now Debian 6.0.6. So far, the issue is still there. Best regards. Diff below should fix your issue. It was okayed by martinh@ but I'd like report that it works for you and eventually another ok ;-) Index: ssl.c === RCS file: /cvs/src/usr.sbin/ldapd/ssl.c,v retrieving revision 1.4 diff -u -p -r1.4 ssl.c --- ssl.c 1 Jul 2010 02:19:11 - 1.4 +++ ssl.c 21 Jan 2013 10:51:45 - @@ -50,37 +50,12 @@ void ssl_read(int, short, void *); void ssl_write(int, short, void *); intssl_bufferevent_add(struct event *, int); -DH *get_dh512(void); -void ssl_set_ephemeral_key_exchange(SSL_CTX *); +DH *get_dh1024(void); +void ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *); extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t, size_t, void *); -/* From OpenSSL's documentation: - * - * If strong primes were used to generate the DH parameters, it is - * not strictly necessary to generate a new key for each handshake - * but it does improve forward secrecy. - * - * These are the parameters used by both sendmail and openssl's - * s_server. - * - * -- gilles@ - */ - -unsigned char dh512_p[] = { -0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, -0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, -0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, -0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, -0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, -0x47,0x74,0xE8,0x33, -}; - -unsigned char dh512_g[] = { -0x02, -}; - void ssl_read(int fd, short event, void *p) { @@ -409,7 +384,7 @@ ssl_setup(struct ldapd_config *env, stru (const unsigned char *)l-ssl_cert_name, strlen(l-ssl_cert_name) + 1)) goto err; - ssl_set_ephemeral_key_exchange(l-ssl_ctx); + ssl_set_ephemeral_key_exchange(l-ssl_ctx, get_dh1024()); log_debug(ssl_setup: ssl setup finished for listener: %p, l); return; @@ -535,29 +510,56 @@ ssl_session_destroy(struct conn *s) SSL_free(s-s_ssl); } +/* From OpenSSL's documentation: + * + * If strong primes were used to generate the DH parameters, it is + * not strictly necessary to generate a new key for each handshake + * but it does improve forward secrecy. + * + * -- gilles@ + */ DH * -get_dh512(void) +get_dh1024(void) { -DH *dh; + DH *dh; + unsigned char dh1024_p[] = { + 0xAD,0x37,0xBB,0x26,0x75,0x01,0x27,0x75, + 0x06,0xB5,0xE7,0x1E,0x1F,0x2B,0xBC,0x51, + 0xC0,0xF4,0xEB,0x42,0x7A,0x2A,0x83,0x1E, + 0xE8,0xD1,0xD8,0xCC,0x9E,0xE6,0x15,0x1D, + 0x06,0x46,0x50,0x94,0xB9,0xEE,0xB6,0x89, + 0xB7,0x3C,0xAC,0x07,0x5E,0x29,0x37,0xCC, + 0x8F,0xDF,0x48,0x56,0x85,0x83,0x26,0x02, + 0xB8,0xB6,0x63,0xAF,0x2D,0x4A,0x57,0x93, + 0x6B,0x54,0xE1,0x8F,0x28,0x76,0x9C,0x5D, + 0x90,0x65,0xD1,0x07,0xFE,0x5B,0x05,0x65, + 0xDA,0xD2,0xE2,0xAF,0x23,0xCA,0x2F,0xD6, + 0x4B,0xD2,0x04,0xFE,0xDF,0x21,0x2A,0xE1, + 0xCD,0x1B,0x70,0x76,0xB3,0x51,0xA4,0xC9, + 0x2B,0x68,0xE3,0xDD,0xCB,0x97,0xDA,0x59, + 0x50,0x93,0xEE,0xDB,0xBF,0xC7,0xFA,0xA7, + 0x47,0xC4,0x4D,0xF0,0xC6,0x09,0x4A,0x4B + }; + unsigned char dh1024_g[] = { + 0x02 + }; -if ((dh = DH_new()) == NULL) + if ((dh = DH_new()) == NULL) return NULL; -dh-p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); -dh-g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); -if (dh-p == NULL || dh-g == NULL) -return NULL; + dh-p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); + dh-g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); + if (dh-p == NULL || dh-g == NULL) { + DH_free(dh); + return NULL; + } -return dh; + return dh; } - void -ssl_set_ephemeral_key_exchange(SSL_CTX *ctx) +ssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh) { - DH *dh; - - dh = get_dh512(); - if (dh != NULL) - SSL_CTX_set_tmp_dh(ctx, dh); + if (dh == NULL || !SSL_CTX_set_tmp_dh(ctx, dh)) + fatal(ssl_set_ephemeral_key_exchange: cannot set tmp dh); } -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: ldapd and The Diffie Hellman prime sent by the server is not acceptable
Great thanks On Mon, Jan 28, 2013 at 12:42:35PM +0100, Joel Carnat wrote: Built on source tree from 5.2: it works! Gotta switch back to SSL :)) Thank you. Jo Le 28 janv. 2013 ? 12:31, Gilles Chehade gil...@poolp.org a ?crit : On Mon, Jan 28, 2013 at 12:28:58PM +0100, Joel Carnat wrote: Hi, I wasn't aware of any diffs. With time, the OpenBSD (ldapd server) was upgraded to 5.2 and the Linux client is now Debian 6.0.6. So far, the issue is still there. Best regards. Diff below should fix your issue. It was okayed by martinh@ but I'd like report that it works for you and eventually another ok ;-) Index: ssl.c === RCS file: /cvs/src/usr.sbin/ldapd/ssl.c,v retrieving revision 1.4 diff -u -p -r1.4 ssl.c --- ssl.c 1 Jul 2010 02:19:11 - 1.4 +++ ssl.c 21 Jan 2013 10:51:45 - @@ -50,37 +50,12 @@ void ssl_read(int, short, void *); void ssl_write(int, short, void *); int ssl_bufferevent_add(struct event *, int); -DH *get_dh512(void); -voidssl_set_ephemeral_key_exchange(SSL_CTX *); +DH *get_dh1024(void); +voidssl_set_ephemeral_key_exchange(SSL_CTX *, DH *); extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t, size_t, void *); -/* From OpenSSL's documentation: - * - * If strong primes were used to generate the DH parameters, it is - * not strictly necessary to generate a new key for each handshake - * but it does improve forward secrecy. - * - * These are the parameters used by both sendmail and openssl's - * s_server. - * - * -- gilles@ - */ - -unsigned char dh512_p[] = { -0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, -0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, -0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, -0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, -0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, -0x47,0x74,0xE8,0x33, -}; - -unsigned char dh512_g[] = { -0x02, -}; - void ssl_read(int fd, short event, void *p) { @@ -409,7 +384,7 @@ ssl_setup(struct ldapd_config *env, stru (const unsigned char *)l-ssl_cert_name, strlen(l-ssl_cert_name) + 1)) goto err; - ssl_set_ephemeral_key_exchange(l-ssl_ctx); + ssl_set_ephemeral_key_exchange(l-ssl_ctx, get_dh1024()); log_debug(ssl_setup: ssl setup finished for listener: %p, l); return; @@ -535,29 +510,56 @@ ssl_session_destroy(struct conn *s) SSL_free(s-s_ssl); } +/* From OpenSSL's documentation: + * + * If strong primes were used to generate the DH parameters, it is + * not strictly necessary to generate a new key for each handshake + * but it does improve forward secrecy. + * + * -- gilles@ + */ DH * -get_dh512(void) +get_dh1024(void) { -DH *dh; + DH *dh; + unsigned char dh1024_p[] = { + 0xAD,0x37,0xBB,0x26,0x75,0x01,0x27,0x75, + 0x06,0xB5,0xE7,0x1E,0x1F,0x2B,0xBC,0x51, + 0xC0,0xF4,0xEB,0x42,0x7A,0x2A,0x83,0x1E, + 0xE8,0xD1,0xD8,0xCC,0x9E,0xE6,0x15,0x1D, + 0x06,0x46,0x50,0x94,0xB9,0xEE,0xB6,0x89, + 0xB7,0x3C,0xAC,0x07,0x5E,0x29,0x37,0xCC, + 0x8F,0xDF,0x48,0x56,0x85,0x83,0x26,0x02, + 0xB8,0xB6,0x63,0xAF,0x2D,0x4A,0x57,0x93, + 0x6B,0x54,0xE1,0x8F,0x28,0x76,0x9C,0x5D, + 0x90,0x65,0xD1,0x07,0xFE,0x5B,0x05,0x65, + 0xDA,0xD2,0xE2,0xAF,0x23,0xCA,0x2F,0xD6, + 0x4B,0xD2,0x04,0xFE,0xDF,0x21,0x2A,0xE1, + 0xCD,0x1B,0x70,0x76,0xB3,0x51,0xA4,0xC9, + 0x2B,0x68,0xE3,0xDD,0xCB,0x97,0xDA,0x59, + 0x50,0x93,0xEE,0xDB,0xBF,0xC7,0xFA,0xA7, + 0x47,0xC4,0x4D,0xF0,0xC6,0x09,0x4A,0x4B + }; + unsigned char dh1024_g[] = { + 0x02 + }; -if ((dh = DH_new()) == NULL) + if ((dh = DH_new()) == NULL) return NULL; -dh-p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); -dh-g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); -if (dh-p == NULL || dh-g == NULL) -return NULL; + dh-p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); + dh-g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); + if (dh-p == NULL || dh-g == NULL) { + DH_free(dh); + return NULL; + } -return dh; + return dh; } - void -ssl_set_ephemeral_key_exchange(SSL_CTX *ctx) +ssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh) { - DH *dh; - - dh = get_dh512(); - if (dh != NULL) - SSL_CTX_set_tmp_dh(ctx, dh); + if (dh == NULL || !SSL_CTX_set_tmp_dh(ctx, dh)) + fatal(ssl_set_ephemeral_key_exchange: cannot set tmp dh); }
Re: ldapd and The Diffie Hellman prime sent by the server is not acceptable
Hi Vadim, I only use ldapd in a local context but I'll have a look tomorrow and come up with a diff for that. Thanks, Gilles On Sat, Jan 19, 2013 at 01:56:12PM +0100, Vadim Agarkov wrote: Hello! Debian's (as well as Ubuntu's) openldap client is linked against GnuTLS library in contrast to the OpenBSD one which is linked against openssl library. Recent GnuTLS versions have more strict settings - they won't allow dh params with 512 bits or less and OpenBSD's ldapd daemon uses 512bits DH params. There is a function gnutls_dh_set_prime_bits which overrides default GnuTLS settings, but it looks like it is not supported by openldap client yet. Here are some links regarding GnuTLS problem: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196117 The good fix for this would be setting dh params with strong (more than 512) bits on the ldapd server side, but it is not possible with current version of ldapd: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ldapd/ssl.c?rev=1.4;content-type=text%2Fplain there is a hardcoded 512bit DH value as you can see. And it would be nice if there was an option to set dh params like it is in OpenSMTPd (or at least set default bits for DH to be 1024 - as it is now in the same said OpenSMTPd): http://www.opensmtpd.org/smtpd.conf.5.html Host certificates may be used for these connections, and are searched for in the /etc/mail/certs directory. If certificate is specified, a certificate name.crt, a key name.key, a certificate authority name.ca and Diffie-Hellman parameters name.dh are searched for. If no certificate is specified, the default interface name is instead used, for example fxp0.crt, fxp0.key, fxp0.ca, and fxp0.dh. If no DH parameters are provided, smtpd will use built-in parameters. Creation of certificates is documented in starttls(8). http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl.c?rev=1.51;content-type=text%2Fplain And as for now, the real workaround, that I see, is either to allow insecure ldap connections or use third-party tools like stunnel - it has default dh params with long enough primes and also can be set to use your custom dh params file. JFYI, you can check dh params returned by the server using gnutls-cli utility. For example, the things should look like the following for 2048bits DH params: = $ gnutls-cli -s -p 636 ldap.your_cool_server.net Resolving 'ldap.your_cool_server.net'... Connecting to 'XX:636'... - Simple Client Mode: click ctrl+d *** Starting TLS handshake - Ephemeral Diffie-Hellman parameters - Using prime: 2048 bits - Secret key: 2047 bits - Peer's public key: 2048 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: ... = Hope that sheds some light on this problem.. P.S. I CC'ed ldapd developers in order to have some hope this might be fixed one day.. --- thanks, VA On 2011-01-21 19:21, Joel Carnat wrote: Hello, On a Ubuntu Linux 8.04 machine, I can't query my OpenBSD 4.9 ldapd(8). It works from the local OpenBSD and from a remote NetBSD server. All machines have the CA file installed in the OpenSSL directory and the ldap.conf file configured to use that particular CA file. Here's what I get on the Linux box: $ ldapsearch -d 1 -x -H ldaps://ldap.tumfatig.net -D cn=email,dc=tumfatig,dc=net \ -W -b ou=users,dc=tumfatig,dc=net mail=j...@carnat.net ldap_url_parse_ext(ldaps://ldap.tumfatig.net) ldap_create ldap_url_parse_ext(ldaps://ldap.tumfatig.net:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.tumfatig.net:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.0.50:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: can't connect: The Diffie Hellman prime sent by the server is not acceptable \ (not long enough).. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Not sure if that matters, but the OpenBSD's openssl.cnf (which was used to generate and sign the CA and certificate files) contains: default_bits = 4096 Is there a way to tell ldapd(8) to use a bigger DH value ? TIA, Jo -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: ldapd and The Diffie Hellman prime sent by the server is not acceptable
Hello! Debian's (as well as Ubuntu's) openldap client is linked against GnuTLS library in contrast to the OpenBSD one which is linked against openssl library. Recent GnuTLS versions have more strict settings - they won't allow dh params with 512 bits or less and OpenBSD's ldapd daemon uses 512bits DH params. There is a function gnutls_dh_set_prime_bits which overrides default GnuTLS settings, but it looks like it is not supported by openldap client yet. Here are some links regarding GnuTLS problem: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196117 The good fix for this would be setting dh params with strong (more than 512) bits on the ldapd server side, but it is not possible with current version of ldapd: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ldapd/ssl.c?rev=1.4;content-type=text%2Fplain there is a hardcoded 512bit DH value as you can see. And it would be nice if there was an option to set dh params like it is in OpenSMTPd (or at least set default bits for DH to be 1024 - as it is now in the same said OpenSMTPd): http://www.opensmtpd.org/smtpd.conf.5.html Host certificates may be used for these connections, and are searched for in the /etc/mail/certs directory. If certificate is specified, a certificate name.crt, a key name.key, a certificate authority name.ca and Diffie-Hellman parameters name.dh are searched for. If no certificate is specified, the default interface name is instead used, for example fxp0.crt, fxp0.key, fxp0.ca, and fxp0.dh. If no DH parameters are provided, smtpd will use built-in parameters. Creation of certificates is documented in starttls(8). http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl.c?rev=1.51;content-type=text%2Fplain And as for now, the real workaround, that I see, is either to allow insecure ldap connections or use third-party tools like stunnel - it has default dh params with long enough primes and also can be set to use your custom dh params file. JFYI, you can check dh params returned by the server using gnutls-cli utility. For example, the things should look like the following for 2048bits DH params: = $ gnutls-cli -s -p 636 ldap.your_cool_server.net Resolving 'ldap.your_cool_server.net'... Connecting to 'XX:636'... - Simple Client Mode: click ctrl+d *** Starting TLS handshake - Ephemeral Diffie-Hellman parameters - Using prime: 2048 bits - Secret key: 2047 bits - Peer's public key: 2048 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: ... = Hope that sheds some light on this problem.. P.S. I CC'ed ldapd developers in order to have some hope this might be fixed one day.. --- thanks, VA On 2011-01-21 19:21, Joel Carnat wrote: Hello, On a Ubuntu Linux 8.04 machine, I can't query my OpenBSD 4.9 ldapd(8). It works from the local OpenBSD and from a remote NetBSD server. All machines have the CA file installed in the OpenSSL directory and the ldap.conf file configured to use that particular CA file. Here's what I get on the Linux box: $ ldapsearch -d 1 -x -H ldaps://ldap.tumfatig.net -D cn=email,dc=tumfatig,dc=net \ -W -b ou=users,dc=tumfatig,dc=net mail=j...@carnat.net ldap_url_parse_ext(ldaps://ldap.tumfatig.net) ldap_create ldap_url_parse_ext(ldaps://ldap.tumfatig.net:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.tumfatig.net:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.0.50:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: can't connect: The Diffie Hellman prime sent by the server is not acceptable \ (not long enough).. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Not sure if that matters, but the OpenBSD's openssl.cnf (which was used to generate and sign the CA and certificate files) contains: default_bits = 4096 Is there a way to tell ldapd(8) to use a bigger DH value ? TIA, Jo
ldapd and The Diffie Hellman prime sent by the server is not acceptable
Hello, On a Ubuntu Linux 8.04 machine, I can't query my OpenBSD 4.9 ldapd(8). It works from the local OpenBSD and from a remote NetBSD server. All machines have the CA file installed in the OpenSSL directory and the ldap.conf file configured to use that particular CA file. Here's what I get on the Linux box: $ ldapsearch -d 1 -x -H ldaps://ldap.tumfatig.net -D cn=email,dc=tumfatig,dc=net \ -W -b ou=users,dc=tumfatig,dc=net mail=j...@carnat.net ldap_url_parse_ext(ldaps://ldap.tumfatig.net) ldap_create ldap_url_parse_ext(ldaps://ldap.tumfatig.net:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.tumfatig.net:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.0.50:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: can't connect: The Diffie Hellman prime sent by the server is not acceptable \ (not long enough).. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Not sure if that matters, but the OpenBSD's openssl.cnf (which was used to generate and sign the CA and certificate files) contains: default_bits = 4096 Is there a way to tell ldapd(8) to use a bigger DH value ? TIA, Jo