Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cepces for openSUSE:Factory checked
in at 2022-12-02 13:12:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cepces (Old)
and /work/SRC/openSUSE:Factory/.cepces.new.1835 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cepces"
Fri Dec 2 13:12:08 2022 rev:8 rq:1039334 version:0.3.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/cepces/cepces.changes 2022-10-25
11:18:57.277996642 +0200
+++ /work/SRC/openSUSE:Factory/.cepces.new.1835/cepces.changes 2022-12-02
13:12:16.369567299 +0100
@@ -1,0 +2,6 @@
+Thu Dec 1 14:44:33 UTC 2022 - David Mulder <dmul...@suse.com>
+
+Release v0.3.7:
+- Make the openssl security level configurable
+
+-------------------------------------------------------------------
Old:
----
cepces-0.3.6.tar.bz2
New:
----
cepces-0.3.7.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cepces.spec ++++++
--- /var/tmp/diff_new_pack.cbQGs2/_old 2022-12-02 13:12:16.937570402 +0100
+++ /var/tmp/diff_new_pack.cbQGs2/_new 2022-12-02 13:12:16.945570446 +0100
@@ -21,7 +21,7 @@
%global logdir %{_localstatedir}/log/%{app_name}
Name: %{app_name}
-Version: 0.3.6
+Version: 0.3.7
Release: 0%{?dist}
Summary: Certificate Enrollment through CEP/CES
++++++ cepces-0.3.6.tar.bz2 -> cepces-0.3.7.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cepces-0.3.6/bin/cepces-submit
new/cepces-0.3.7/bin/cepces-submit
--- old/cepces-0.3.6/bin/cepces-submit 2022-10-20 13:58:52.000000000 +0200
+++ new/cepces-0.3.7/bin/cepces-submit 2022-12-01 15:39:46.000000000 +0100
@@ -24,6 +24,7 @@
import sys
import traceback
import argparse
+import requests
from cepces.certmonger.core import Result
from cepces.certmonger.operation import Operation
from cepces.config import Configuration
@@ -62,6 +63,8 @@
# Load the configuration and instantiate a service.
config = Configuration.load(global_overrides=global_overrides,
krb5_overrides=krb5_overrides)
+ if config.openssl_seclevel and config.openssl_seclevel.isnumeric():
+ requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS =
'ALL:@SECLEVEL=%s' % config.openssl_seclevel
service = Service(config)
# Call the operation.
@@ -88,6 +91,7 @@
parser.add_argument('--keytab', help='Use the specified keytab')
parser.add_argument('--principals',
help='A list of principals to try when requesting a ticket')
+ parser.add_argument('--openssl-seclevel', help='The openssl security
level')
args = parser.parse_args()
g_overrides = {}
if args.server is not None:
@@ -98,6 +102,8 @@
g_overrides['endpoint'] = endpoint
if args.poll_interval is not None:
g_overrides['poll_interval'] = args.poll_interval
+ if args.openssl_seclevel is not None:
+ g_overrides['openssl_seclevel'] = args.openssl_seclevel
k_overrides = {}
if args.keytab is not None:
k_overrides['keytab'] = args.keytab
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cepces-0.3.6/cepces/__init__.py
new/cepces-0.3.7/cepces/__init__.py
--- old/cepces-0.3.6/cepces/__init__.py 2022-10-20 13:58:52.000000000 +0200
+++ new/cepces-0.3.7/cepces/__init__.py 2022-12-01 15:39:46.000000000 +0100
@@ -23,7 +23,7 @@
__title__ = 'cepces'
__description__ = 'CEP/CES library.'
__url__ = 'https://github.com/openSUSE/cepces/'
-__version__ = '0.3.6'
+__version__ = '0.3.7'
__author__ = 'Daniel Uvehag'
__author_email__ = 'daniel.uve...@gmail.com'
__license__ = 'GPLv3'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cepces-0.3.6/cepces/config.py
new/cepces-0.3.7/cepces/config.py
--- old/cepces-0.3.6/cepces/config.py 2022-10-20 13:58:52.000000000 +0200
+++ new/cepces-0.3.7/cepces/config.py 2022-12-01 15:39:46.000000000 +0100
@@ -55,7 +55,7 @@
'Certificate': SOAPAuth.TransportCertificateAuthentication,
}
- def __init__(self, endpoint, endpoint_type, cas, auth, poll_interval):
+ def __init__(self, endpoint, endpoint_type, cas, auth, poll_interval,
openssl_seclevel):
super().__init__()
self._endpoint = endpoint
@@ -63,6 +63,7 @@
self._cas = cas
self._auth = auth
self._poll_interval = poll_interval
+ self._openssl_seclevel = openssl_seclevel
@property
def endpoint(self):
@@ -89,6 +90,11 @@
"""Return the poll interval."""
return self._poll_interval
+ @property
+ def openssl_seclevel(self):
+ """Return the openssl security level."""
+ return self._openssl_seclevel
+
@classmethod
def load(cls, files=None, dirs=None, global_overrides=None,
krb5_overrides=None):
@@ -116,6 +122,10 @@
config['DEFAULT']['shortname'] = shortname.lower()
config['DEFAULT']['SHORTNAME'] = shortname.upper()
+ if not config.has_section('global'):
+ config.add_section('global')
+ config['global']['openssl_seclevel'] = ''
+
if files is None:
files = DEFAULT_CONFIG_FILES
@@ -155,7 +165,7 @@
section = parser['global']
# Ensure certain required variables are present.
- for var in ['endpoint', 'auth', 'type', 'poll_interval']:
+ for var in ['endpoint', 'auth', 'type', 'poll_interval',
'openssl_seclevel']:
if var not in section:
raise RuntimeError(
'Missing "{}/{}" variable in configuration.'.format(
@@ -178,8 +188,9 @@
authn = Configuration.AUTH_HANDLER_MAP[section['auth']](parser)
cas = section.get('cas', True)
poll_interval = section.get('poll_interval')
+ openssl_seclevel = section.get('openssl_seclevel')
if cas == '':
cas = False
- return Configuration(endpoint, endpoint_type, cas, authn.handle(),
poll_interval)
+ return Configuration(endpoint, endpoint_type, cas, authn.handle(),
poll_interval, openssl_seclevel)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cepces-0.3.6/conf/cepces.conf.dist
new/cepces-0.3.7/conf/cepces.conf.dist
--- old/cepces-0.3.6/conf/cepces.conf.dist 2022-10-20 13:58:52.000000000
+0200
+++ new/cepces-0.3.7/conf/cepces.conf.dist 2022-12-01 15:39:46.000000000
+0100
@@ -48,6 +48,15 @@
# Time in seconds before re-checking if the certificate has been issued
poll_interval=3600
+# This is the openssl security level. The latest openssl sets the default to
+# level 2, which disables some less secure ciphers. You may encounter an error
+# of '[SSL: DH_KEY_TOO_SMALL] dh key too small' if this level is set to high
+# for your server. If this happens, you can work around this issue by setting
+# openssl_seclevel to 1.
+#
+# Default: 2
+#openssl_seclevel=2
+
[kerberos]
# Use the specified keytab. If unspecified, the system default is used.
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cepces-0.3.6/selinux/cepces.te
new/cepces-0.3.7/selinux/cepces.te
--- old/cepces-0.3.6/selinux/cepces.te 2022-10-20 13:58:52.000000000 +0200
+++ new/cepces-0.3.7/selinux/cepces.te 2022-12-01 15:39:46.000000000 +0100
@@ -1,4 +1,4 @@
-policy_module(cepces, 0.3.6)
+policy_module(cepces, 0.3.7)
require {
type certmonger_t;
