Index: conffiles/etc/cron.d/univention-ldap =================================================================== --- conffiles/etc/cron.d/univention-ldap (Revision 61862) +++ conffiles/etc/cron.d/univention-ldap (Revision 62244) @@ -2,10 +2,10 @@ PATH=/usr/sbin:/usr/bin:/sbin:/bin -# recreate dh paramter files for forward secrecy +# re-create dh parameter files for forward secrecy on a regular basis @!@ script = '/usr/share/univention-ldap/create-dh-parameter-files' -interval = configRegistry.get('ldap/tls/dh/cron', '30 4 * * *') +interval = configRegistry.get('ldap/tls/dh/cron') if interval: print '%s root %s' % (interval, script) @!@ Index: conffiles/etc/ldap/slapd.conf.d/30univention-ldap-server_head =================================================================== --- conffiles/etc/ldap/slapd.conf.d/30univention-ldap-server_head (Revision 61862) +++ conffiles/etc/ldap/slapd.conf.d/30univention-ldap-server_head (Revision 62244) @@ -15,7 +15,7 @@ if protocol: print 'TLSProtocolMin %s' % (protocol,) from os.path import exists -filename = configRegistry.get("ldap/tls/dh/paramfile", "/etc/ldap/dh_2048.pem") +filename = configRegistry.get("ldap/tls/dh/paramfile") if filename and exists(filename): print 'TLSDHParamFile %s' % (filename,) @!@ Index: debian/changelog =================================================================== --- debian/changelog (Revision 61862) +++ debian/changelog (Revision 62244) @@ -1,3 +1,15 @@ +univention-ldap (11.0.12-11) unstable; urgency=low + + * Bug #38685: Disable DH parameter creation by default + + -- Philipp Hahn Mon, 20 Jul 2015 11:58:17 +0200 + +univention-ldap (11.0.12-10) unstable; urgency=low + + * Bug #38685: Make SSL/TLS ciphers configurable + + -- Philipp Hahn Fri, 17 Jul 2015 08:03:11 +0200 + univention-ldap (11.0.12-9) unstable; urgency=low * Bug #38584: Remove DHCP policy references Index: debian/univention-ldap-server.postinst =================================================================== --- debian/univention-ldap-server.postinst (Revision 61862) +++ debian/univention-ldap-server.postinst (Revision 62244) @@ -84,8 +84,6 @@ security/packetfilter/package/univention-ldap-server/tcp/7636/all/en="LDAPS" [ -x "/etc/init.d/univention-firewall" ] && invoke-rc.d univention-firewall restart -[ -f /etc/ldap/dh_2048.pem ] || cp /usr/share/univention-ldap/dh_2048.pem /etc/ldap/ - ucr set \ ldap/debug/level?0 \ slapd/port?"7389,389" \ @@ -108,6 +106,9 @@ ldap/tls/dh/paramfile?/etc/ldap/dh_2048.pem \ ldap/maxopenfiles?8192 # Bug #17705 +paramfile="$(ucr get ldap/tls/dh/paramfile)" +[ -n "$paramfile" ] && [ ! -f "$paramfile" ] && cp /usr/share/univention-ldap/dh_2048.pem "$paramfile" + # UDM Property Attributes udm_prop_attrs="univentionUDMPropertyVersion,univentionUDMPropertyModule,univentionUDMPropertyShortDescription,univentionUDMPropertyLongDescription,univentionUDMPropertySyntax,univentionUDMPropertyMultivalue,univentionUDMPropertyDefault,univentionUDMPropertyLdapMapping,univentionUDMPropertyObjectClass,univentionUDMPropertyDeleteObjectClass,univentionUDMPropertyValueMayChange,univentionUDMPropertyLayoutTabName,univentionUDMPropertyLayoutOverwriteTab,univentionUDMPropertyLayoutOverwritePosition,univentionUDMPropertyLayoutPosition,univentionUDMPropertyCLIName,univentionUDMPropertyTranslationShortDescription,univentionUDMPropertyTranslationLongDescription,univentionUDMPropertyTranslationTabName,univentionUDMPropertyOptions,univentionUDMPropertyLayoutTabAdvanced,univentionUDMPropertyValueRequired,univentionUDMPropertyHook,univentionUDMPropertyDoNotSearch" # recommended index settings Index: scripts/create-dh-parameter-files =================================================================== --- scripts/create-dh-parameter-files (Revision 61862) +++ scripts/create-dh-parameter-files (Revision 62244) @@ -38,7 +38,7 @@ tmp=$(mktemp "$paramfile.XXXXXXXXXX") trap "cat '$log';rm -f '$tmp' '$log'" EXIT -openssl gendh -out "$tmp" -2 2048 +openssl dhparam -out "$tmp" -2 2048 chmod 644 "$tmp" mv "$tmp" "$paramfile"