[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#907135: [Box Backup] Debian now requires 2048bit RSA keys

Hi Reinhard and all,

Good news, I have just finished fixing this problem, and merged it into master with https://github.com/boxbackup/boxbackup/pull/36. Please could you cut a new Debian package release and see if the tests pass for you? Or if not, point me to the failure logs?

If anyone wants to know more, the issue is quite complex, and there are no easy answers, which is why it took so long to fix. I've done my best to describe it at https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates. Please feel free to correct any mistakes that I've made.

Thanks, Chris.

On Sun, 10 Mar 2019 at 18:23, Reinhard Tartler <siretart@gmail.com> wrote:
On Mon, Jan 7, 2019, 16:58 Chris Wilson <chris+google@qwirx.com wrote:
Hi Reinhard,

If I make the workaround suggested on this thread (change SECLEVEL to 1 in /etc/ssl/openssl.cnf) then test/basicserver passes again. This is at least a good start, so that users who don't want to replace their certificates have a workaround. I think I'll need to modify the CA scripts that generate certificates so that they produce 2048-bit keys that do not need this workaround, and document it or catch and improve the error message.


Any progress on updating the CA scripts that generate certificates so that they produce 2048-bit keys? 

I've updated the package to git20180819.g2f5b556, but am still experiencing a test failure:

make[1]: Leaving directory '/<<PKGBUILDDIR>>/test/basicserver'
TEST: test/basicserver
Killing any running daemons...
Removing old test files...
chmod: cannot access 'testfiles': No such file or directory
Copying new test files...
NOTICE:  Running test basicserver in debug mode...
INFO:    Starting server: ./_test --test-daemon-args= srv1 testfiles/srv1.conf
Waiting for server to die (pid 16575): . done.
INFO:    Starting server: ./_test --test-daemon-args= srv2 testfiles/srv2.conf
Waiting for server to die (pid 16579): . done.
INFO:    Starting server: ./_test --test-daemon-args= srv3 testfiles/srv3.conf
ERROR:   **** TEST FAILURE: Condition [ServerIsAlive(pid)] failed at test/basicserver/testbasicserver.cpp:628
ERROR:   **** TEST FAILURE: Condition [HUPServer(pid)] failed at test/basicserver/testbasicserver.cpp:631
ERROR:   **** TEST FAILURE: Condition [ServerIsAlive(pid)] failed at test/basicserver/testbasicserver.cpp:633
ERROR:   SSL or crypto error: loading certificates from testfiles/clientCerts.pem: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
WARNING: Exception thrown: ServerException(TLSLoadCertificatesFailed) at lib/server/TLSContext.cpp(93)
FAILED: Exception caught: TLSLoadCertificatesFailed



--
regards,
    Reinhard
Reply to: