[Box Backup-commit] [boxbackup/boxbackup] 27ad0d: Minimal fix for Debian bug 907135 [#36]

Chris Wilson noreply at github.com
Tue Jun 4 23:31:46 BST 2019


  Branch: refs/heads/debian_10_fix_ssl
  Home:   https://github.com/boxbackup/boxbackup
  Commit: 27ad0d81595a4dc5931f063bbca1bea34f52c939
      https://github.com/boxbackup/boxbackup/commit/27ad0d81595a4dc5931f063bbca1bea34f52c939
  Author: Chris Wilson <chris+github at qwirx.com>
  Date:   2019-06-04 (Tue, 04 Jun 2019)

  Changed paths:
    M bin/bbackupd/bbackupd-config.in
    M bin/bbstored/bbstored-certs.in
    M infrastructure/cmake/CMakeLists.txt
    M infrastructure/m4/boxbackup_tests.m4
    M lib/common/BoxPortsAndFiles.h.in
    M lib/common/Test.h
    M lib/server/TLSContext.cpp
    M test/basicserver/testbasicserver.cpp
    A test/basicserver/testfiles/seclevel2-sha1/bbackupd.conf
    A test/basicserver/testfiles/seclevel2-sha1/bbackupd/1234567-csr.pem
    A test/basicserver/testfiles/seclevel2-sha1/bbackupd/1234567-key.pem
    A test/basicserver/testfiles/seclevel2-sha1/bbackupd/NotifySysadmin.sh
    A test/basicserver/testfiles/seclevel2-sha1/bbstored.conf
    A test/basicserver/testfiles/seclevel2-sha1/bbstored/localhost-csr.pem
    A test/basicserver/testfiles/seclevel2-sha1/bbstored/localhost-key.pem
    A test/basicserver/testfiles/seclevel2-sha1/ca/clients/1234567-cert.pem
    A test/basicserver/testfiles/seclevel2-sha1/ca/keys/clientRootCSR.pem
    A test/basicserver/testfiles/seclevel2-sha1/ca/keys/clientRootKey.pem
    A test/basicserver/testfiles/seclevel2-sha1/ca/keys/serverRootCSR.pem
    A test/basicserver/testfiles/seclevel2-sha1/ca/keys/serverRootKey.pem
    A test/basicserver/testfiles/seclevel2-sha1/ca/roots/clientCA.pem
    A test/basicserver/testfiles/seclevel2-sha1/ca/roots/clientCA.srl
    A test/basicserver/testfiles/seclevel2-sha1/ca/roots/serverCA.pem
    A test/basicserver/testfiles/seclevel2-sha1/ca/roots/serverCA.srl
    A test/basicserver/testfiles/seclevel2-sha1/ca/servers/localhost-cert.pem
    A test/basicserver/testfiles/seclevel2-sha1/raidfile.conf
    A test/basicserver/testfiles/seclevel2-sha256/bbackupd.conf
    A test/basicserver/testfiles/seclevel2-sha256/bbackupd/1234567-csr.pem
    A test/basicserver/testfiles/seclevel2-sha256/bbackupd/1234567-key.pem
    A test/basicserver/testfiles/seclevel2-sha256/bbackupd/NotifySysadmin.sh
    A test/basicserver/testfiles/seclevel2-sha256/bbstored.conf
    A test/basicserver/testfiles/seclevel2-sha256/bbstored/localhost-csr.pem
    A test/basicserver/testfiles/seclevel2-sha256/bbstored/localhost-key.pem
    A test/basicserver/testfiles/seclevel2-sha256/ca/clients/1234567-cert.pem
    A test/basicserver/testfiles/seclevel2-sha256/ca/keys/clientRootCSR.pem
    A test/basicserver/testfiles/seclevel2-sha256/ca/keys/clientRootKey.pem
    A test/basicserver/testfiles/seclevel2-sha256/ca/keys/serverRootCSR.pem
    A test/basicserver/testfiles/seclevel2-sha256/ca/keys/serverRootKey.pem
    A test/basicserver/testfiles/seclevel2-sha256/ca/roots/clientCA.pem
    A test/basicserver/testfiles/seclevel2-sha256/ca/roots/clientCA.srl
    A test/basicserver/testfiles/seclevel2-sha256/ca/roots/serverCA.pem
    A test/basicserver/testfiles/seclevel2-sha256/ca/roots/serverCA.srl
    A test/basicserver/testfiles/seclevel2-sha256/ca/servers/localhost-cert-sha1.pem
    A test/basicserver/testfiles/seclevel2-sha256/ca/servers/localhost-cert.pem
    A test/basicserver/testfiles/seclevel2-sha256/raidfile.conf
    A test/basicserver/testfiles/srv3-seclevel2-sha1.conf
    A test/basicserver/testfiles/srv3-seclevel2-sha256.conf
    M test/bbackupd/testbbackupd.cpp

  Log Message:
  -----------
  Minimal fix for Debian bug 907135 [#36]

Unfortunately, the changes required to implement the full solution to Debian
bug 907135 were quite large and could not be reviewed in time for Debian 10's
release date. This would have meant that Box Backup was not available at all in
Debian 10.

Therefore we have developed a workaround specifically for Debian 10 users
(this patch), which contains only the minimal changes needed to:

* reduce the security level for Box Backup to 1 (the previous default),
* overriding the system default; ensure that all newly generated certificates
* meet the new security requirements that will later be imposed.

This interim version will hopefully be replaced by a version from the master
branch that supports the SSLSecurityLevel configuration option, which we hope
to see in debian-backports as soon as possible, and we recommend that anyone
using the interim version upgrade to this master version as soon as possible.

See
https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates#workaround-2
for more details.




More information about the Boxbackup-commit mailing list