Univention Bugzilla – Bug 56918
configurable dhparam
Last modified: 2023-12-18 13:28:31 CET
We have a hardcoded 2048 bits long dhparam (management/univention-ldap/scripts/create-dh-parameter-files) For security reasons the customer wants a configuration option. Maybe a UCRV like ldap/tls/dh/* could be createt. ldap/tls/ciphersuite: HIGH:MEDIUM:!aNULL:!MD5:!RC4 This configures the cryptopgraphic algorithms which are offered to clients during a SSL handshake. The format is described at <http://www.openldap.org/software/man.cgi?query=slapd.conf>. ldap/tls/dh/cron: <empty> Cronjob interval for recreating DH parameter files (forward secrecy). ldap/tls/dh/paramfile: /etc/ldap/dh_2048.pem This configures the name of the file containing the parameters for Diffie-Hellman ephemeral key exchange. ldap/tls/dh/restart: <empty> Automatically restart the LDAP server, after a new DH parameter file has been generated. Disabled by default.
That script has: > paramfile="$(ucr get ldap/tls/dh/paramfile)" > [ -n "$paramfile" ] || exit 0 So you can create that file manually before.
Yes, the key can be created manually (openssl dhparam -out "$newfile" -2 4092 ) and stored to a new file. You have to change the UCRV ldap/tls/dh/paramfile to the new file. But the next cronjob (UCRV ldap/tls/dh/cron with default to "30 4 * * * ") will overwrite your file with the hardcoded 2048 bit length. As a workaround the only option is to create the file with your needed length and to disable the cron.