DH parameters error (message) via update.php

Discussion in 'Installation/Configuration' started by Richard Foley, Aug 29, 2019.

  1. Richard Foley

    Richard Foley Member

    I updated my systems from debian 9 (stretch) to debian 10 (buster), which was *almost* painless. When I then updated ispConfig3
    Code:
    php -q update.php
    I saw the follwoing "DH parameters" message. This is just FYI, as when I run the update again, the error disappears.

    Code:
    Reconfigure Services? (yes,no,selected) [yes]:
    
    Configuring Postfix
    Configuring Dovecot
    Creating new DHParams file, this takes several minutes. Do not interrupt the script.
    142+0 records in
    142+0 records out
    142 bytes copied, 0.000529595 s, 268 kB/s
    unable to load DH parameters
    3072366336:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
    3072366336:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=DHparams
    Configuring Mailman
    
    I have other issues with this upgrade, but will create separate threads where relevant. Thanks for all your great work!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the output of the command to create the DH params file which is required for dovecot on Debian 10. Seems as if something is wrong with your OpenSSL setup when such a basic command fails.

    openssl dhparam -out /etc/dovecot/dh.pem 2048
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to delete the file and create it again with the above command.
     
    Richard Foley likes this.
  4. Richard Foley

    Richard Foley Member

    did that, everything seems to be running smoothly, for now...
    Thanks Till!
     
  5. Jemt

    Jemt Member HowtoForge Supporter

    For the record, I was having the same problem on Debian 10 Buster. Till's solution solved the problem.
    The server in question was initially based on Debian 7, and has since been upgraded to Debian 8, Debian 9, and now Debian 10. Perhaps the problem is related to the upgrade procedures.
     
    Last edited: Feb 25, 2020
  6. Gray Consulting

    Gray Consulting Member HowtoForge Supporter

    Thanks Till -
    Same issue popped up for us - ubuntu 20.04 / php 7.4 / ispconfig 3.2
    Solution worked perfectly, although I had to build a longer key of 4096 bits before dovecot was happy.
    (Still looking for that tip jar, Till :) ... )
     
  7. Steini86

    Steini86 Active Member

    That works, but is deprecated. For intermediate systems one should use these DH parameters. See: https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
    You can get them for example via:
    Code:
    curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/dovecot/dh.pem
    (Modern systems with only TLS1.3 do not need this parameters)
     
    Jemt likes this.
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I updated host yesterday, ran Debian 10 apt upgrade to get to 10.9 and from ISPConfig 3.2.2 to 3.2.3 . I guess this caused error appearing in log. excerpt:
    Code:
     Dovecot Errors.
        imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=167.248.133.56, lip=94.237.37.94, session=<AT7T1Yi+PrWn+IU4>: 1 Time(s)
        imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=167.248.133.56, lip=94.237.37.94, session=<M4vP1Yi+YJ+n+IU4>: 1 Time(s)
       lmtp(15533): Error: SSL context initialization failed, disabling SSL: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: 1 Time(s)
        lmtp(18356): Error: SSL context initialization failed, disabling SSL: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: 1 Time(s)
    The dh file is empty, and datestamp is from December
    Code:
    [email protected]:/etc/dovecot# LANG=C ls -lhat
    total 56K
    drwxr-xr-x 126 root root     12K Mar 28 11:31 ..
    -rw-------   1 root root    1.6K Mar 28 11:31 dovecot-sql.conf
    -r--------   1 root root    1.6K Mar 28 11:31 dovecot-sql.conf~
    -rw-r--r--   1 root root    3.3K Mar 28 11:31 dovecot.conf
    -rw-r--r--   1 root root    3.3K Mar 28 11:31 dovecot.conf~
    -rw-r--r--   1 root root       0 Dec 30 20:28 dh.pem
    drwxr-xr-x   4 root root    4.0K Dec 30 20:28 .
    drwx------   2 root root    4.0K Dec 30 17:34 private
    -rw-r-----   1 root dovecot 5.7K Jan 23  2019 dovecot-sql.conf.ext
    drwxr-xr-x   2 root root    4.0K May  8  2017 conf.d
    -rw-r-----   1 root dovecot 1.5K Apr 11  2017 dovecot-dict-auth.conf.ext
    -rw-r-----   1 root dovecot  852 Apr 11  2017 dovecot-dict-sql.conf.ext
    
    I'm trying fix from #7 with curl first.
     
    Richard Foley likes this.
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I forgot to restart dovecot. :oops:
     
    Richard Foley, ahrasis and Th0m like this.
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Happens to the best of us :D
     
  11. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I forgot to restart dovecot and thus it did not work after curl method. When I did openssl dhparam with 4096 I remembered to restart, so then dovecot worked.
    I do not understand the benefit of the pre-defined dh, either.
     
  13. Steini86

    Steini86 Active Member

    At least it is recommended by the RFC: https://tools.ietf.org/html/rfc7919
    The recommended groups are in the appendix. I am no crypto expert, but see this answer for some hints: https://security.stackexchange.com/a/149842
    Basically, self-generated params would need to be verified by the clients which needs computational power and some of them just don't do it. The recommended groups are well known and can be easily verified. There is no security problem of downloading these as they are public anyway. (The only advantage would be if an attack against the recommended group is developed)
    See this post for an explanation: https://security.stackexchange.com/a/94397

    In the end it is not so important as it will die out anyway with TLS1.3. It is only important for old clients which still needs TLS1.2
     
    Jesse Norell, ahrasis and Th0m like this.
  14. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I now see your point but I am still not convinced.

    Anyway, ISPConfig developers might want to use this in its installer lib file for new server instead of using openssl dhparam with 2048, plus downloading and using this should be faster and more secure than dhparam 2048.
     
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Good idea.
     
    ahrasis likes this.

Share This Page