Bug 1044586 - proftpd does not ship 8192 bit dh parameter
Summary: proftpd does not ship 8192 bit dh parameter
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: proftpd
Version: el5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Matthias Saou
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-18 15:39 UTC by Till Maas
Modified: 2014-01-05 15:33 UTC (History)
4 users (show)

Fixed In Version: proftpd-1.3.3g-4.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-05 15:33:15 UTC
Type: Bug


Attachments (Terms of Use)
backported larger keys patch (2.23 KB, patch)
2013-12-19 12:16 UTC, Till Maas
no flags Details | Diff
backported kex patch (584 bytes, patch)
2013-12-19 12:17 UTC, Till Maas
no flags Details | Diff

Description Till Maas 2013-12-18 15:39:47 UTC
Description of problem:
OpenSSH in Fedora requires DH 8192 for AES 256 but proftpd does not ship a 8192 bit diffie hellman paramter. Therefore it is impossible to use mod_sftp with Fedora with AES 256. Also there is only a not very helpful error message.

Version-Release number of selected component (if applicable):
1.3.3g-3.el5

How reproducible:
always

Steps to Reproduce:
1. setup proftpd with sftp support and use as only cipher aes-256-ctr
2. Try to connect with sftp from Fedora

Actual results:
- local sftp show application error
- mod_sftp logs message format error: unable to write 1025 bytes of mpint (buflen = 1023)

Expected results:
should work as expected


Additional info:
/etc/dhparams.pem does not contain 8192 bit parameters, which are required according to a peek at the openssh source code.

This might be broken in Fedora as well.

Comment 1 Paul Howarth 2013-12-18 15:56:10 UTC
If you use the dhparams.pem file from:

http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/dhparams.pem?revision=1.2

does that fix it?

Comment 2 Till Maas 2013-12-18 16:10:38 UTC
(In reply to Paul Howarth from comment #1)
> If you use the dhparams.pem file from:
> 
> http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/
> dhparams.pem?revision=1.2
> 
> does that fix it?

yes

Comment 3 Till Maas 2013-12-18 16:14:37 UTC
(In reply to Till Maas from comment #2)
> (In reply to Paul Howarth from comment #1)
> > If you use the dhparams.pem file from:
> > 
> > http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/
> > dhparams.pem?revision=1.2
> > 
> > does that fix it?
> 
> yes

sorry, no, it does not fix it. Removing the file "fixes" it or if selinux prevents proftpd from accessing it, which is what happened during my first test.

Comment 4 Paul Howarth 2013-12-18 16:31:28 UTC
So you're seeing "WARNING: using fixed modulus for DH group exchange" if the file is missing/unreadable, and that "works", but actually having the file there results in the same error as the original report?

Comment 5 Paul Howarth 2013-12-18 16:39:04 UTC
I think this change may be related:

http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/kex.c?r1=1.36&r2=1.37

Comment 6 Till Maas 2013-12-18 17:40:06 UTC
(In reply to Paul Howarth from comment #4)
> So you're seeing "WARNING: using fixed modulus for DH group exchange" if the
> file is missing/unreadable, and that "works", but actually having the file
> there results in the same error as the original report?

I did look into the log if the file is missing/unreadable (I can look into this tomorrow) but other than that: yes with the file I see the same error (at least from sftp since I did not look into the logs).

Comment 7 Till Maas 2013-12-18 18:11:05 UTC
There are more issues with 8192 DH:
http://bugs.proftpd.org/show_bug.cgi?id=4001

Comment 8 Till Maas 2013-12-19 12:14:47 UTC
It works with the following changes:

http://proftp.cvs.sourceforge.net/viewvc/proftp/proftpd/contrib/mod_sftp/kex.c?r1=1.36&r2=1.37
(backported to the EPEL proftpd)

http://bugs.proftpd.org/attachment.cgi?id=4130

The new dhparams.pem file

Comment 9 Till Maas 2013-12-19 12:16:35 UTC
Created attachment 838955 [details]
backported larger keys patch

Comment 10 Till Maas 2013-12-19 12:17:10 UTC
Created attachment 838958 [details]
backported kex patch

Comment 11 Paul Howarth 2013-12-19 14:12:31 UTC
Can you try this scratch build and let me know if it works for you?

http://koji.fedoraproject.org/koji/taskinfo?taskID=6314667

Comment 12 Till Maas 2013-12-20 09:36:29 UTC
(In reply to Paul Howarth from comment #11)
> Can you try this scratch build and let me know if it works for you?
> 
> http://koji.fedoraproject.org/koji/taskinfo?taskID=6314667

It works on my test system. Btw. there is also
http://bugs.proftpd.org/show_bug.cgi?id=4002
which should be fixed probably. I generated a local dhparams.pem file that I can give you if you do not want to wait for proftp.

Comment 13 Fedora Update System 2013-12-20 23:13:50 UTC
proftpd-1.3.4d-5.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/proftpd-1.3.4d-5.fc19

Comment 14 Fedora Update System 2013-12-20 23:13:59 UTC
proftpd-1.3.4d-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/proftpd-1.3.4d-5.fc18

Comment 15 Fedora Update System 2013-12-20 23:14:07 UTC
proftpd-1.3.4d-5.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/proftpd-1.3.4d-5.fc20

Comment 16 Fedora Update System 2013-12-20 23:14:18 UTC
proftpd-1.3.3g-4.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/proftpd-1.3.3g-4.el5

Comment 17 Fedora Update System 2013-12-20 23:14:25 UTC
proftpd-1.3.3g-4.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/proftpd-1.3.3g-4.el6

Comment 18 Fedora Update System 2013-12-30 05:01:38 UTC
proftpd-1.3.4d-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2013-12-30 05:01:46 UTC
proftpd-1.3.4d-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2013-12-30 05:04:04 UTC
proftpd-1.3.4d-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2014-01-04 22:45:56 UTC
proftpd-1.3.3g-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2014-01-04 22:47:06 UTC
proftpd-1.3.3g-4.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.