=== ChanServ changed the topic of #ubuntu-security to: Twitter: @ubuntu_sec || https://usn.ubuntu.com || https://wiki.ubuntu.com/SecurityTeam || https://wiki.ubuntu.com/Security/Features || Community: sarnold | ||
ahasenack | ok, starting to understand how src:crypto-policies work. In kinetic: https://pastebin.ubuntu.com/p/jmdfDbqBqH/ | 20:37 |
---|---|---|
sarnold | oh wow that' | 20:38 |
sarnold | that's way more promising than I expected | 20:39 |
ahasenack | oh, not out of the box, not yet | 20:39 |
sarnold | ahhhhh there we go | 20:39 |
ahasenack | but the amount of changes is less than I expected | 20:39 |
sarnold | https://bugs.launchpad.net/ubuntu/+source/crypto-policies/+bug/1926664 gave me the impression it didn't work at all :( | 20:39 |
ubottu | Launchpad bug 1926664 in crypto-policies (Ubuntu) "Package has no effect on system crypto policy" [Undecided, New] | 20:39 |
ahasenack | most of the time it boils down to include a config snippet, i.e., add some sort of "include /foo/bar/*.conf" in the main config | 20:39 |
ahasenack | which many packages already have | 20:39 |
ahasenack | so it's just a matter of placing the extra snipped in the right place | 20:40 |
ahasenack | it gets trickier with openssl, of course, and its section-hell of openssl.cnf | 20:40 |
sarnold | nice nice nice :D it really would be nice to have a good handle on all the "but my ancient $tool requires $gross_crypto" bug reports | 20:40 |
ahasenack | this is promising | 20:40 |
ahasenack | there is support for bind, gnutls, java, krb5, libreswan, libssh, nss, openssh and openssl | 20:41 |
ahasenack | I will concentrate my experiments in a ppa, https://launchpad.net/~ahasenack/+archive/ubuntu/crypto-policy/ | 20:41 |
ahasenack | so that bug is kind of invalid. The way crypto-policy works, is that it generates config file snippets for each supported app/library | 20:44 |
ahasenack | and then it's up to each app/library to include this config snippet | 20:44 |
sarnold | hrm :( I think I misunderstood what it provided us, too :( | 20:44 |
ahasenack | for openssl to use it, for example, we have to add this somewhere in openssl.cnf: | 20:45 |
ahasenack | .include = /etc/crypto-policies/back-ends/opensslcnf.config | 20:45 |
ahasenack | that opensslcnf.config file is generated by the policy, and maps to the level that was chosen (LEGACY, DEFAULT, FUTURE, NEXT, etc) | 20:45 |
ahasenack | sarnold: do you remember that other bug we had requesting to implement system-wide crypto policies? I think it even had a few tasks | 21:13 |
ahasenack | but I forget against which package it was | 21:13 |
sarnold | ahasenack: hrm :( I can't recall that bug off-hand, sorry | 21:27 |
ahasenack | while I have you | 21:27 |
ahasenack | can you check if lftp https://ubuntu.com works for you? | 21:27 |
ahasenack | it doesn't for me | 21:27 |
sarnold | ahasenack: fails on focal and bionic | 21:32 |
ahasenack | sarnold: sergiodj found this: https://github.com/lavv17/lftp/issues/641 | 21:33 |
ubottu | Issue 641 in lavv17/lftp "gnutls integration code manually tries to verify chain, can't handle cross-signed CA" [Closed] | 21:33 |
ahasenack | "Which is why now lftp won't work against default LetsEncrypt chains anymore" | 21:34 |
ahasenack | apparently they are/were using their own code to do some validation (!) | 21:34 |
sarnold | wow | 21:34 |
sarnold | that might have made sense in ye olden dayes | 21:34 |
ahasenack | I filed a bug | 21:37 |
sarnold | nice | 21:38 |
sarnold | tbh I didn't know lftp did https :) I figured it was ftp and ftps only | 21:38 |
ahasenack | sarnold: found the bug: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285 | 21:47 |
ubottu | Launchpad bug 1647285 in nss (Ubuntu) "SSL trust not system-wide" [Wishlist, Confirmed] | 21:47 |
sarnold | oh yeah! you're reaching back through time a ways there :) hehe | 21:48 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!