First Last Prev Next    This bug is not in your last search results.
Bug 56918 - configurable dhparam
configurable dhparam
Status: NEW
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2023-12-18 10:08 CET by Tim Breidenbach
Modified: 2023-12-18 13:28 CET (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.011
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Breidenbach univentionstaff 2023-12-18 10:08:39 CET 
We have a hardcoded 2048 bits long dhparam (management/univention-ldap/scripts/create-dh-parameter-files)


For security reasons the customer wants a configuration option.
Maybe a UCRV like ldap/tls/dh/* could be createt.



ldap/tls/ciphersuite: HIGH:MEDIUM:!aNULL:!MD5:!RC4
 This configures the cryptopgraphic algorithms which are offered to clients during a SSL handshake. The format is described at <http://www.openldap.org/software/man.cgi?query=slapd.conf>.

ldap/tls/dh/cron: <empty>
 Cronjob interval for recreating DH parameter files (forward secrecy).

ldap/tls/dh/paramfile: /etc/ldap/dh_2048.pem
 This configures the name of the file containing the parameters for Diffie-Hellman ephemeral key exchange.

ldap/tls/dh/restart: <empty>
 Automatically restart the LDAP server, after a new DH parameter file has been generated. Disabled by default.
Comment 1 Arvid Requate univentionstaff 2023-12-18 11:41:48 CET 
That script has:

> paramfile="$(ucr get ldap/tls/dh/paramfile)"
> [ -n "$paramfile" ] || exit 0

So you can create that file manually before.
Comment 2 Tim Breidenbach univentionstaff 2023-12-18 13:27:33 CET 
Yes, the key can be created manually (openssl dhparam -out "$newfile" -2 4092
) and stored to a new file. You have to change the UCRV ldap/tls/dh/paramfile to the new file.

But the next cronjob (UCRV ldap/tls/dh/cron with default to "30 4 * * * ") will overwrite your file  with the hardcoded 2048 bit length.

 As a workaround the only option is to create the file with your needed length and to disable the cron.
First Last Prev Next    This bug is not in your last search results.