New subject: [Issue 10124] olcTLSDHParamFile causes slapd general protection fault error:0 in libcrypto.so.3.0.7

3 Nov 2023


      https://bugs.openldap.org/show_bug.cgi?id=10124
Issue ID: 10124
           Summary: olcTLSDHParamFile causes slapd general protection
                    fault error:0 in libcrypto.so.3.0.7
           Product: OpenLDAP
           Version: 2.5.16
          Hardware: All
                OS: Linux
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: slapd
          Assignee: bugs@openldap.org
          Reporter: r.g.van.der.kleij@umail.leidenuniv.nl
  Target Milestone: ---
I am not sure this is even an openldap bug, but just in case it is I report it
here.
I build openldap 2.5 from source on Rocky linux 9.2.
The previous build version 2.5.14 would run fine, but 2.5.16 would crash at
startup with error:
kernel: traps: slapd[3909] general protection fault ip:7fea2f19f2d2
sp:7fff76b17c00 error:0 in libcrypto.so.3.0.7[7fea2f0ad000+25b000]
Since even in full debug nothing was logged apart from this error I started
eliminating configuration items, ending up with only the config below.
A fresh slapd 2.5.14 would start with only this ldif slapadded, 2.5.16 would
not on the same server. Leaving out olcTLSDHParamFile would cause everything to
work again. I tried regenerating a fresh 2048 bit dhparam file instead of the
4096 I was using, but no difference.
openssl dhparam -out ./dhparam.pem 2048
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/scs-slapd/slapd.args
olcDisallows: bind_anon
olcLogLevel: stats sync
olcPasswordCryptSaltFormat: $6$%.16s
olcPasswordHash: {CRYPT}
olcPidFile: /var/run/scs-slapd/slapd.pid
olcRequires: authc
olcTLSCACertificateFile: "/etc/scs/openldap/certs/ca_chain.pem"
olcTLSCertificateFile: /etc/scs/openldap/certs/cert.pem
olcTLSCertificateKeyFile: /etc/scs/openldap/certs/key.pem
olcTLSCipherSuite: ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL
 :!EDH:!EXP:!SSLV2:!eNULL
olcTLSCRLCheck: none
olcTLSVerifyClient: allow
olcTLSDHParamFile: /etc/ssl/dhparam.pem
olcTLSProtocolMin: 3.3
olcToolThreads: 2
Both openssl-devel and gnutls-devel were available on the build system, but as
far as I can see openssl would be preferred when available and was indeed used.
(I tried both --with-tls=auto and --with-tls=openssl )
Make test would finish without issues
My configure options:
./configure --prefix=$SCS_TARGET --sysconfdir=$SCS_TARGET_ETC \
--enable-debug \
--enable-slapd \
--with-systemd \
--enable-modules \
--with-tls=auto \
--with-cyrus-sasl \
--with-argon2 \
--enable-crypt \
--enable-spasswd \
--enable-rlookups \
--enable-overlays=mod \
--enable-syncprov=yes \
--enable-accesslog=mod \
--enable-backends=mod \
--enable-mdb=yes \
--enable-ndb=no \
--enable-sql=no \
--enable-wt=no \
--disable-shell
The results in the configure log:
TLS_LIBS='-lssl -lcrypto'
WITH_TLS='yes'
WITH_TLS_TYPE='openssl'
-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 10124] New: olcTLSDHParamFile causes slapd general protection fault error:0 in libcrypto.so.3.0.7