Processed: Re: Bug#927435: upgrade-reports: Buster upgrade: had to re-create unbound certs/keys

Discussion:

(too old to reply)

Debian Bug Tracking System

2019-04-20 06:10:01 UTC

clone 927435 -1

Bug #927435 [upgrade-reports] upgrade-reports: Buster upgrade: had to re-create unbound certs/keys
Bug 927435 cloned as bug 927461

reassign 927435 unbound

Bug #927435 [upgrade-reports] upgrade-reports: Buster upgrade: had to re-create unbound certs/keys
Bug reassigned from package 'upgrade-reports' to 'unbound'.
Ignoring request to alter found versions of bug #927435 to the same values previously set
Ignoring request to alter fixed versions of bug #927435 to the same values previously set

retitle 927435 unbound: Small control keys makes it fail to start

Bug #927435 [unbound] upgrade-reports: Buster upgrade: had to re-create unbound certs/keys
Changed Bug title to 'unbound: Small control keys makes it fail to start' from 'upgrade-reports: Buster upgrade: had to re-create unbound certs/keys'.

severity 927435 important

Bug #927435 [unbound] unbound: Small control keys makes it fail to start
Severity set to 'important' from 'normal'

reassign -1 release-notes

Bug #927461 [upgrade-reports] upgrade-reports: Buster upgrade: had to re-create unbound certs/keys
Bug reassigned from package 'upgrade-reports' to 'release-notes'.
Ignoring request to alter found versions of bug #927461 to the same values previously set
Ignoring request to alter fixed versions of bug #927461 to the same values previously set

retitle -1 release-notes: Document how to handle openssls new defaults

Bug #927461 [release-notes] upgrade-reports: Buster upgrade: had to re-create unbound certs/keys
Changed Bug title to 'release-notes: Document how to handle openssls new defaults' from 'upgrade-reports: Buster upgrade: had to re-create unbound certs/keys'.

thanks

Stopping processing here.

Please contact me if you need assistance.

--
927435: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927435
927461: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927461
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems

Paul Gevers

2019-04-21 15:00:02 UTC

Permalink

Hi Kurt, Christoph, Sebastian, others,

clone 927435 -1
reassign -1 release-notes
retitle -1 release-notes: Document how to handle openssls new defaults

After upgrading to buster, unbound-control would fail to run with this error..
error: Error setting up SSL_CTX client cert
To fix this I had to regenerate the certs and keys by removing the old ones and
running unbound-control-setup, then restarting unbound. This fixed the issue.
$ cd /etc/unbound/
$ sudo rm *.key *.pem
$ sudo unbound-control-setup
$ sudo systemctl restart unbound
Note that with unbound-control broken, that broke `systemctl reload unbound` as
it depends on unbound-control.
[...]

* One for the release-notes because the stricter defaults in OpenSSL
affects multiple programs (I have seen similar issues from e.g.
wpa_supplicant). At this point, we should probably document the
knobs involved[1].
[1] I believe the alternative is to update /etc/ssl/openssl.cnf, finding
"""
[system_default_sect]
...
"""
And change that SECLEVEL=2 to SECLEVEL=1. Obviously, this has
system-wide effects and reduces the minimum key size for all things that
do not set their own CipherString (e.g. webservers have configuration to
do that and wpa_supplicant overrides the new default as well as most
WiFi have small keys).

Could somebody of the openssl team propose a text that can be added to
the release-notes about the new defaults? I am not asking for package
specific text (although that is welcome of course), but rather a generic
description of the change, what it means, how it can be circumvented and
what the drawbacks of that are.

Paul

Sebastian Andrzej Siewior

2019-04-24 20:10:01 UTC

Permalink

Post by Paul Gevers
Hi Kurt, Christoph, Sebastian, others,

Hi Paul,

Post by Paul Gevers
Could somebody of the openssl team propose a text that can be added to
the release-notes about the new defaults? I am not asking for package
specific text (although that is welcome of course), but rather a generic
description of the change, what it means, how it can be circumvented and
what the drawbacks of that are.

We have this [0]:
| Following various security recommendations, the default minimum TLS version
| has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and Apple
| plan to do same around March 2020.
|
| The default security level for TLS connections has also be increased from
| level 1 to level 2. This moves from the 80 bit security level to the 112 bit
| security level and will require 2048 bit or larger RSA and DHE keys, 224 bit
| or larger ECC keys, and SHA-2.
|
| The system wide settings can be changed in /etc/ssl/openssl.cnf. Applications
| might also have a way to override the defaults.
|
| In the default /etc/ssl/openssl.cnf there is a MinProtocol and CipherString
| line. The CipherString can also sets the security level. Information about the
| security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage.
| The list of valid strings for the minimum protocol version can be found in
| SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and
| config(5ssl).
|
| Changing back the defaults in /etc/ssl/openssl.cnf to previous system wide
| defaults can be done using:
| MinProtocol = None
| CipherString = DEFAULT
|
| It's recommended that you contact the remote site in case the defaults cause
| problems.

The system default is valid for package that links against libssl1.1.
Some packages (like wpa_supplicant) override the limit so they may use
TLSv1 even if it is disabled.
Is the text above more or less what you asked for?

[0] /usr/share/doc/libssl1.1/NEWS.Debian.gz

Post by Paul Gevers
Paul

Sebastian

Paul Gevers

2019-04-24 20:30:02 UTC

Permalink

Hi Sebastian,
[...]

Post by Sebastian Andrzej Siewior
The system default is valid for package that links against libssl1.1.
Some packages (like wpa_supplicant) override the limit so they may use
TLSv1 even if it is disabled.
Is the text above more or less what you asked for?

It's a bit long, and in the current state it is a bit out of context,
but I think we'll be able to manage that, thanks.

Paul

Debian Bug Tracking System

2019-05-03 10:10:01 UTC

Permalink

Your message dated Fri, 3 May 2019 12:03:09 +0200
with message-id <8f588328-bcff-9466-456b-***@debian.org>
and subject line Re: [Pkg-openssl-devel] Bug#927461: release-notes: Document how to handle openssls new defaults
has caused the Debian Bug report #927461,
regarding release-notes: Document how to handle openssls new defaults
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)

--
927461: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927461
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems

Justin B Rye

2019-05-03 20:30:01 UTC

Permalink

A catchup sweep of changes in the last week or so.

There are a couple of grammar errors in the issues.dbk section on
openssl:

+++ b/en/issues.dbk
@@ -172,7 +172,7 @@ $ sudo update-initramfs -u
version has been changed from TLSv1 to TLSv1.2.
</para>
<para>
- The default security level for TLS connections has also be increased from
+ The default security level for TLS connections has also been increased from
level 1 to level 2. This moves from the 80 bit security level to the 112
bit security level and will require 2048 bit or larger RSA and DHE keys,
224 bit or larger ECC keys, and SHA-2.
@@ -185,7 +185,7 @@ $ sudo update-initramfs -u
<para>
In the default <filename>/etc/ssl/openssl.cnf</filename> there is a
<literal>MinProtocol</literal> and <literal>CipherString</literal>
- line. The <literal>CipherString</literal> can also sets the security
+ line. The <literal>CipherString</literal> can also set the security
level. Information about the security levels can be found in the <ulink
url="https://manpages.debian.org/SSL_CTX_set_security_level(3ssl)">SSL_CTX_set_security_level(3ssl)</ulink>
manpage. The list of valid strings for the minimum protocol version can

Plus a bit of generally odd phrasing here:

@@ -197,15 +197,15 @@ $ sudo update-initramfs -u
url="https://manpages.debian.org/config(5ssl)">config(5ssl)</ulink>.
</para>
<para>
- Changing back the defaults in <filename>/etc/ssl/openssl.cnf</filename>
- to previous system wide defaults can be done using:
+ Changing the system wide defaults in <filename>/etc/ssl/openssl.cnf</filename>
+ back to their previous values can be done by setting:
<programlisting>
MinProtocol = None
CipherString = DEFAULT
</programlisting>
</para>

And a misuse of "in case" (which usually means "as a precaution
against X", not "conditional on X"):

<para>
- It's recommended that you contact the remote site in case the defaults
+ It's recommended that you contact the remote site if the defaults
cause problems.
</para>
</section>

There's also one piece of un-English adverb placement in the section
about reindexing postgreSQL:

@@ -482,8 +482,8 @@ $ sudo update-initramfs -u
corruption, such indexes need to be <literal>REINDEX</literal>ed
immediately after upgrading the <systemitem
role="package">locales</systemitem> or <systemitem
- role="package">locales-all</systemitem> packages, before putting back the
- database into production.
+ role="package">locales-all</systemitem> packages, before putting the
+ database back into production.
</para>
<para>
Suggested command: <screen>sudo -u postgres reindexdb --all</screen>

(But I don't see anything to nitpick in the new Secure Boot info.)

--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package