Bug 1044586
Summary: | proftpd does not ship 8192 bit dh parameter | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Till Maas <opensource> | ||||||
Component: | proftpd | Assignee: | Matthias Saou <matthias> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | el5 | CC: | matthias, opensource, paul, tmraz | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | proftpd-1.3.3g-4.el5 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-01-05 15:33:15 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Till Maas
2013-12-18 15:39:47 UTC
If you use the dhparams.pem file from: http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/dhparams.pem?revision=1.2 does that fix it? (In reply to Paul Howarth from comment #1) > If you use the dhparams.pem file from: > > http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/ > dhparams.pem?revision=1.2 > > does that fix it? yes (In reply to Till Maas from comment #2) > (In reply to Paul Howarth from comment #1) > > If you use the dhparams.pem file from: > > > > http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/ > > dhparams.pem?revision=1.2 > > > > does that fix it? > > yes sorry, no, it does not fix it. Removing the file "fixes" it or if selinux prevents proftpd from accessing it, which is what happened during my first test. So you're seeing "WARNING: using fixed modulus for DH group exchange" if the file is missing/unreadable, and that "works", but actually having the file there results in the same error as the original report? I think this change may be related: http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/kex.c?r1=1.36&r2=1.37 (In reply to Paul Howarth from comment #4) > So you're seeing "WARNING: using fixed modulus for DH group exchange" if the > file is missing/unreadable, and that "works", but actually having the file > there results in the same error as the original report? I did look into the log if the file is missing/unreadable (I can look into this tomorrow) but other than that: yes with the file I see the same error (at least from sftp since I did not look into the logs). There are more issues with 8192 DH: http://bugs.proftpd.org/show_bug.cgi?id=4001 It works with the following changes: http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/kex.c?r1=1.36&r2=1.37 (backported to the EPEL proftpd) http://bugs.proftpd.org/attachment.cgi?id=4130 The new dhparams.pem file Created attachment 838955 [details]
backported larger keys patch
Created attachment 838958 [details]
backported kex patch
Can you try this scratch build and let me know if it works for you? http://koji.fedoraproject.org/koji/taskinfo?taskID=6314667 (In reply to Paul Howarth from comment #11) > Can you try this scratch build and let me know if it works for you? > > http://koji.fedoraproject.org/koji/taskinfo?taskID=6314667 It works on my test system. Btw. there is also http://bugs.proftpd.org/show_bug.cgi?id=4002 which should be fixed probably. I generated a local dhparams.pem file that I can give you if you do not want to wait for proftp. proftpd-1.3.4d-5.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/proftpd-1.3.4d-5.fc19 proftpd-1.3.4d-5.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/proftpd-1.3.4d-5.fc18 proftpd-1.3.4d-5.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/proftpd-1.3.4d-5.fc20 proftpd-1.3.3g-4.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/proftpd-1.3.3g-4.el5 proftpd-1.3.3g-4.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/proftpd-1.3.3g-4.el6 proftpd-1.3.4d-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. proftpd-1.3.4d-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. proftpd-1.3.4d-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. proftpd-1.3.3g-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. proftpd-1.3.3g-4.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |