=== ChanServ changed the topic of #ubuntu-security to: Twitter: @ubuntu_sec || https://usn.ubuntu.com || https://wiki.ubuntu.com/SecurityTeam || https://wiki.ubuntu.com/Security/Features || Community: sarnold
[20:37] <ahasenack> ok, starting to understand how src:crypto-policies work. In kinetic: https://pastebin.ubuntu.com/p/jmdfDbqBqH/
[20:38] <sarnold> oh wow that'
[20:39] <sarnold> that's way more promising than I expected
[20:39] <ahasenack> oh, not out of the box, not yet
[20:39] <sarnold> ahhhhh there we go
[20:39] <ahasenack> but the amount of changes is less than I expected
[20:39] <sarnold> https://bugs.launchpad.net/ubuntu/+source/crypto-policies/+bug/1926664 gave me the impression it didn't work at all :(
[20:39] <ubottu> Launchpad bug 1926664 in crypto-policies (Ubuntu) "Package has no effect on system crypto policy" [Undecided, New]
[20:39] <ahasenack> most of the time it boils down to include a config snippet, i.e., add some sort of "include /foo/bar/*.conf" in the main config
[20:39] <ahasenack> which many packages already have
[20:40] <ahasenack> so it's just a matter of placing the extra snipped in the right place
[20:40] <ahasenack> it gets trickier with openssl, of course, and its section-hell of openssl.cnf
[20:40] <sarnold> nice nice nice :D it really would be nice to have a good handle on all the "but my ancient $tool requires $gross_crypto" bug reports
[20:40] <ahasenack> this is promising
[20:41] <ahasenack> there is support for bind, gnutls, java, krb5, libreswan, libssh, nss, openssh and openssl
[20:41] <ahasenack> I will concentrate my experiments in a ppa, https://launchpad.net/~ahasenack/+archive/ubuntu/crypto-policy/
[20:44] <ahasenack> so that bug is kind of invalid. The way crypto-policy works, is that it generates config file snippets for each supported app/library
[20:44] <ahasenack> and then it's up to each app/library to include this config snippet
[20:44] <sarnold> hrm :( I think I misunderstood what it provided us, too :(
[20:45] <ahasenack> for openssl to use it, for example, we have to add this somewhere in openssl.cnf:
[20:45] <ahasenack> .include = /etc/crypto-policies/back-ends/opensslcnf.config
[20:45] <ahasenack> that opensslcnf.config file is generated by the policy, and maps to the level that was chosen (LEGACY, DEFAULT, FUTURE, NEXT, etc)
[21:13] <ahasenack> sarnold: do you remember that other bug we had requesting to implement system-wide crypto policies? I think it even had a few tasks
[21:13] <ahasenack> but I forget against which package it was
[21:27] <sarnold> ahasenack: hrm :( I can't recall that bug off-hand, sorry
[21:27] <ahasenack> while I have you
[21:27] <ahasenack> can you check if lftp https://ubuntu.com works for you?
[21:27] <ahasenack> it doesn't for me
[21:32] <sarnold> ahasenack: fails on focal and bionic
[21:33] <ahasenack> sarnold: sergiodj found this: https://github.com/lavv17/lftp/issues/641
[21:33] <ubottu> Issue 641 in lavv17/lftp "gnutls integration code manually tries to verify chain, can't handle cross-signed CA" [Closed]
[21:34] <ahasenack> "Which is why now lftp won't work against default LetsEncrypt chains anymore"
[21:34] <ahasenack> apparently they are/were using their own code to do some validation (!)
[21:34] <sarnold> wow
[21:34] <sarnold> that might have made sense in ye olden dayes
[21:37] <ahasenack> I filed a bug
[21:38] <sarnold> nice
[21:38] <sarnold> tbh I didn't know lftp did https :) I figured it was ftp and ftps only
[21:47] <ahasenack> sarnold: found the bug: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285
[21:47] <ubottu> Launchpad bug 1647285 in nss (Ubuntu) "SSL trust not system-wide" [Wishlist, Confirmed]
[21:48] <sarnold> oh yeah! you're reaching back through time a ways there :) hehe