[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7506) Diffie-Hellman parameters (DHParamFile) are improperly handled
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7506) Diffie-Hellman parameters (DHParamFile) are improperly handled
- From: ben@bjencks.net
- Date: Mon, 28 Jan 2013 00:28:44 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
I suppose I should attach a test case:
cd $WORKDIR
openssl dhparam 1536 > dh1536.pem
openssl req -new -newkey rsa:2048 -keyout server.key \
-out server.crt -sha256 -nodes -subj '/CN=localhost/' -x509
For GnuTLS, load the following config:
dn: cn=config
objectClass: olcGlobal
cn: config
olcTLSCertificateFile: $WORKDIR/server.crt
olcTLSCertificateKeyFile: $WORKDIR/server.key
olcTLSCipherSuite: NONE:+VERS-TLS1.1:+VERS-TLS1.0:+AES-128-CBC:
+DHE-RSA:+SHA1:+COMP-NULL
olcTLSDHParamFile: $WORKDIR/dh1536.pem
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
For Openssl, change olcTLSCipherSuite to:
olcTLSCipherSuite: aRSA+AES128+kEDH
Start up slapd with the config, listening on ldaps://localhost:6636.
openssl s_client -connect localhost:6636
With GnuTLS this will fail negotiation; with OpenSSL it will use 1024
bit parameters rather than the 1536 bits params we specified.
The only way I've found to find the actual parameter size is to tcpdump
the negotiation. First, verify that the negotiated cipher suite is
DHE-RSA-AES128-SHA according to s_client, then:
tcpdump -i lo -wldap.pcap port 6636
wireshark ldap.pcap
Apply the SSL decode to the traffic (right click on packet, Decode As,
Transport tab, SSL), find the Server Key Exchange packet, select the
Server Key Exchange portion of the handshake message, and look at the
hex dump.
It should start with 0c, followed by a three byte size, then the next
two bytes are the length of the DH parameters: 0080 for 1024 bits, 00c0
for 1536 bits.
On 01/27/2013 07:13 PM, openldap-its@OpenLDAP.org wrote:
> *** THIS IS AN AUTOMATICALLY GENERATED REPLY ***
>
> Thanks for your report to the OpenLDAP Issue Tracking System. Your
> report has been assigned the tracking number ITS#7506.
>
> One of our support engineers will look at your report in due course.
> Note that this may take some time because our support engineers
> are volunteers. They only work on OpenLDAP when they have spare
> time.
>
> If you need to provide additional information in regards to your
> issue report, you may do so by replying to this message. Note that
> any mail sent to openldap-its@openldap.org with (ITS#7506)
> in the subject will automatically be attached to the issue report.
>
> mailto:openldap-its@openldap.org?subject=(ITS#7506)
>
> You may follow the progress of this report by loading the following
> URL in a web browser:
> http://www.OpenLDAP.org/its/index.cgi?findid=7506
>
> Please remember to retain your issue tracking number (ITS#7506)
> on any further messages you send to us regarding this report. If
> you don't then you'll just waste our time and yours because we
> won't be able to properly track the report.
>
> Please note that the Issue Tracking System is not intended to
> be used to seek help in the proper use of OpenLDAP Software.
> Such requests will be closed.
>
> OpenLDAP Software is user supported.
> http://www.OpenLDAP.org/support/
>
> --------------
> Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
>