Bug#995640: boxbackup: FTBFS with OpenSSL 3.0
Am 19.08.22 um 16:54 schrieb Ileana Dumitrescu: I fixed the control file email and copyright file in the most recent commits The copyright file is not fixed but I will upload because closing the RC bug is an improvement. Just read the upstream license. The project is dual licensed with GPL and one of the BSD clauses seems to be gone. A nitpick that is also mentioned on the tracker for d/watch: gpgmode has to be pgpmode.
Bug#995640: boxbackup: FTBFS with OpenSSL 3.0
>> Also please note that .gitattributes makes the repo have an unclean state on checkout when you are not on Windows. >> You should fix that in future uploads by exluding or patching that file or by importing the crlf files with the expected >> line ending. Ok I will look out for that. >> I can but please use the same email in d/changelog as in Maintainer field. >> I have just added one commit that addresses a dpkg-gencontrol warning. >> The latest published version is not tagged in git. Please add a debian/... tag for that. >> The to-be-sponsored version does not have an upstream tag. Please add that now and a debian/... tag after the package >> was uploaded. > Please also check d/copyright which seems to be incomplete. I added the previous tags for debian and upstream and a new tag after the latest updates. I fixed the control file email and copyright file in the most recent commits, and I added your commit to the changelog. Thank you for all the feedback! It should be good to upload now. Ileana On Thu, Aug 18, 2022 at 7:21 PM Bastian Germann wrote: > Please also check d/copyright which seems to be incomplete. > -- Ileana Dumitrescu GPG Public Key: FA26 CA78 4BE1 8892 7F22 B99F 6570 EA01 146F 7354
Bug#995640: boxbackup: FTBFS with OpenSSL 3.0
Please also check d/copyright which seems to be incomplete.
Bug#995640: boxbackup: FTBFS with OpenSSL 3.0
Am 18.08.22 um 15:51 schrieb Ileana Dumitrescu: I just pushed to the salsa repo at https://salsa.debian.org/debian/boxbackup. Bastian, would you be able to sponsor the upload to unstable? I can but please use the same email in d/changelog as in Maintainer field. I have just added one commit that addresses a dpkg-gencontrol warning. Also please note that .gitattributes makes the repo have an unclean state on checkout when you are not on Windows. You should fix that in future uploads by exluding or patching that file or by importing the crlf files with the expected line ending. The latest published version is not tagged in git. Please add a debian/... tag for that. The to-be-sponsored version does not have an upstream tag. Please add that now and a debian/... tag after the package was uploaded.
Bug#995640: boxbackup: FTBFS with OpenSSL 3.0
> Well, the preferred thing would be to just generate new sha256 certs to > bundle with the test suite, so that the tests pass. I didn't see a > script to auto-generate all the needed certs, but there is a file > ./test/basicserver/testfiles/key-creation.txt that has instructions for > at least some of them. I agree and that is what I meant for potentially patching the tests. I edited the rules file to ignore test errors and added your OpenSSL 3.0 patch to be used in the next debian version (0.13~~git20220405.g7703ac8-2) which will include newer upstream than what is currently in Ubuntu. I just pushed to the salsa repo at https://salsa.debian.org/debian/boxbackup. Bastian, would you be able to sponsor the upload to unstable? Ileana On Wed, Aug 17, 2022 at 6:21 PM Ian Goldberg wrote: > On Wed, Aug 17, 2022 at 05:54:53PM +0300, Ileana Dumitrescu wrote: > > > I made the attached patch, which causes the package to build and run on > > both openssl 3.x and pre-3.x systems. > > > > Thank you for the patch! I will add it to the next debian upload. > > > > > Note, however, that on openssl 3.x systems, a number of the tests run > at > > > build time still fail with: > > > > > FAILED: Exception caught: TLSServerWeakCertificate: Failed to load > certificates from testfiles/clientCerts.pem: hash too weak for current > security level > > > > > but that is for a different reason: the pre-built certificates bundled > > > with the source package for running the tests use the > > > now-deemed-insecure SHA1 hash. > > > > > Nonetheless, the package builds, and works fine at runtime, assuming > > > you've upgraded your certs to sha256 as recommended here: > > > > I am also still seeing this error during the tests, which fails the build > > overall. If the package still works fine at runtime, I will look into > > patching the failed tests so that this can make it into the stable > > repository. > > Well, the preferred thing would be to just generate new sha256 certs to > bundle with the test suite, so that the tests pass. I didn't see a > script to auto-generate all the needed certs, but there is a file > ./test/basicserver/testfiles/key-creation.txt that has instructions for > at least some of them. > > But the ubuntu version of the package does successfully build the deb > files, even if some of the tests fail. The changelog says: > > boxbackup (0.13~~git20200326.g8e8b63c-1ubuntu1) groovy; urgency=medium > > * Merge from Debian unstable. Remaining changes: > - Ignore test suite results, always fails, not run on most arches > anyway. > > -- Gianfranco Costamagna Mon, 11 May 2020 > 16:11:17 +0200 > > -- Ileana Dumitrescu GPG Public Key: FA26 CA78 4BE1 8892 7F22 B99F 6570 EA01 146F 7354
Bug#995640: boxbackup: FTBFS with OpenSSL 3.0
On Wed, Aug 17, 2022 at 05:54:53PM +0300, Ileana Dumitrescu wrote: > > I made the attached patch, which causes the package to build and run on > both openssl 3.x and pre-3.x systems. > > Thank you for the patch! I will add it to the next debian upload. > > > Note, however, that on openssl 3.x systems, a number of the tests run at > > build time still fail with: > > > FAILED: Exception caught: TLSServerWeakCertificate: Failed to load > > certificates from testfiles/clientCerts.pem: hash too weak for current > > security level > > > but that is for a different reason: the pre-built certificates bundled > > with the source package for running the tests use the > > now-deemed-insecure SHA1 hash. > > > Nonetheless, the package builds, and works fine at runtime, assuming > > you've upgraded your certs to sha256 as recommended here: > > I am also still seeing this error during the tests, which fails the build > overall. If the package still works fine at runtime, I will look into > patching the failed tests so that this can make it into the stable > repository. Well, the preferred thing would be to just generate new sha256 certs to bundle with the test suite, so that the tests pass. I didn't see a script to auto-generate all the needed certs, but there is a file ./test/basicserver/testfiles/key-creation.txt that has instructions for at least some of them. But the ubuntu version of the package does successfully build the deb files, even if some of the tests fail. The changelog says: boxbackup (0.13~~git20200326.g8e8b63c-1ubuntu1) groovy; urgency=medium * Merge from Debian unstable. Remaining changes: - Ignore test suite results, always fails, not run on most arches anyway. -- Gianfranco Costamagna Mon, 11 May 2020 16:11:17 +0200
Bug#995640: boxbackup: FTBFS with OpenSSL 3.0
> I made the attached patch, which causes the package to build and run on both openssl 3.x and pre-3.x systems. Thank you for the patch! I will add it to the next debian upload. > Note, however, that on openssl 3.x systems, a number of the tests run at > build time still fail with: > FAILED: Exception caught: TLSServerWeakCertificate: Failed to load > certificates from testfiles/clientCerts.pem: hash too weak for current > security level > but that is for a different reason: the pre-built certificates bundled > with the source package for running the tests use the > now-deemed-insecure SHA1 hash. > Nonetheless, the package builds, and works fine at runtime, assuming > you've upgraded your certs to sha256 as recommended here: I am also still seeing this error during the tests, which fails the build overall. If the package still works fine at runtime, I will look into patching the failed tests so that this can make it into the stable repository. Ileana Dumitrescu GPG Public Key: FA26 CA78 4BE1 8892 7F22 B99F 6570 EA01 146F 7354
Bug#995640: boxbackup: FTBFS with OpenSSL 3.0
I upgraded some machines to Ubuntu 22.04(.1) this weekend, and hit the
failure in this bug in boxbackup-client; specifically, bbackupd aborts
on startup because it uses Blowfish, which openssl 3.x has now relegated
to the "legacy" provider.
I made the attached patch, which causes the package to build and run on
both openssl 3.x and pre-3.x systems.
Note, however, that on openssl 3.x systems, a number of the tests run at
build time still fail with:
FAILED: Exception caught: TLSServerWeakCertificate: Failed to load certificates
from testfiles/clientCerts.pem: hash too weak for current security level
but that is for a different reason: the pre-built certificates bundled
with the source package for running the tests use the
now-deemed-insecure SHA1 hash.
Nonetheless, the package builds, and works fine at runtime, assuming
you've upgraded your certs to sha256 as recommended here:
https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates#replacing-certificates
This patch is against the version in Ubuntu 22.04.1:
oxbackup_0.13~~git20200326.g8e8b63c-1ubuntu2.dsc
--
Ian Goldberg
Canada Research Chair in Privacy Enhancing Technologies
Professor, Cheriton School of Computer Science
University of Waterloo
index 78b99f7..812f5d1 100644
--- a/infrastructure/m4/ax_check_ssl.m4
+++ b/infrastructure/m4/ax_check_ssl.m4
@@ -32,6 +32,7 @@ AC_DEFUN([AX_CHECK_SSL], [
if test "x$ax_check_ssl_found" = "xyes"; then
AC_DEFINE([HAVE_SSL], 1, [Define to 1 if SSL is available])
+AC_CHECK_HEADERS([openssl/provider.h],,)
m4_ifvaln([$1],[$1],[:])dnl
m4_ifvaln([$2],[else $2])dnl
fi
diff --git a/lib/server/SSLLib.cpp b/lib/server/SSLLib.cpp
index 1bcadb0..ac8847c 100644
--- a/lib/server/SSLLib.cpp
+++ b/lib/server/SSLLib.cpp
@@ -13,6 +13,9 @@
#include
#include
#include
+#ifdef HAVE_OPENSSL_PROVIDER_H
+#include
+#endif
#ifdef WIN32
#include
@@ -49,6 +52,20 @@ void SSLLib::Initialise()
// More helpful error messages
::SSL_load_error_strings();
+#ifdef HAVE_OPENSSL_PROVIDER_H
+ // We use Blowfish, so in OpenSSL 3.x we need to explicitly load
+ // the legacy provider. Then if you explicitly load any provider
+ // the default provider is no longer loaded implicitly, so load
+ // that as well.
+ OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy");
+ OSSL_PROVIDER *deflt = OSSL_PROVIDER_load(NULL, "default");
+ if (legacy == NULL || deflt == NULL) {
+ THROW_EXCEPTION_MESSAGE(ServerException,
+ SSLLibraryInitialisationError,
+ CryptoUtils::LogError("loading OpenSSL providers"));
+ }
+#endif
+
// Extra seeding over and above what's already done by the library
#ifdef WIN32
HCRYPTPROV provider;
Bug#995640: boxbackup: FTBFS with OpenSSL 3.0
On Thu, 12 May 2022 15:38:47 + Ileana Dumitrescu wrote: I recently uploaded a new upstream version of boxbackup (0.13~~git20220405.g7703ac8-1). Can this openssl test be re-run? Without a full build log I cannot properly debug this. Your current version FTBFS with: configure.ac:24: error: possibly undefined macro: AC_MSG_ERROR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: error: /usr/bin/autoconf failed with exit status: 1 dh_autoreconf: error: autoreconf -f -i returned exit code 1 make[1]: *** [debian/rules:29: override_dh_autoreconf] Error 255 I suspect this is due to a newer autoconf version. Please fix this first to see if the openssl error will still hold.
Bug#995640: boxbackup: FTBFS with OpenSSL 3.0
Source: boxbackup Version: 0.13~~git20200326.g8e8b63c-1 Severity: important Tags: bookworm sid User: pkg-openssl-de...@lists.alioth.debian.org Usertags: ftbfs-3.0 Hi, Your package is failing to build using OpenSSL 3.0 with the following error: NOTICE: Running test bbackupd in debug mode... ERROR: SSL or crypto error: initialising cipher: error:0308010C:digital envelope routines::unsupported WARNING: Exception thrown: CipherException(EVPInitFailure) (Failed to initialise Blowfish56-CBC: error:0308010C:digital envelope routines::unsupported) at lib/crypto/CipherContext.cpp:124 FAILED: Exception caught: EVPInitFailure: Failed to initialise Blowfish56-CBC: error:0308010C:digital envelope routines::unsupported [...] Some ciphers have been moved to the legacy provider and are no longer available by default. For more information see: https://www.openssl.org/docs/man3.0/man7/migration_guide.html Kurt
