Control: clone -1 -2 Control: reassign -2 libanyevent-perl Control: severity -2 normal Control: retitle -2 AnyEvent::TLS: create 2048-bit DH keys by default Control: tag -2 + confirmed pending Control: tag -1 + pending
On Fri, Mar 01, 2019 at 10:27:42PM +0100, gregor herrmann wrote: > On Fri, 01 Mar 2019 22:16:39 +0100, Sebastian Andrzej Siewior wrote: > > > On 2019-03-01 21:30:04 [+0100], gregor herrmann wrote: > > > On Fri, 01 Mar 2019 21:18:37 +0100, Sebastian Andrzej Siewior wrote: > > > > > > > The patch attached fixes the issue in libanyevent-perl by setting the > > > > default DH value to 2048. > > > There's also a new AnyEvent release but I saw the "INCOMPATIBLE > > > CHANGE" in the changelog, and I don't think it changes what is > > > affected here? > > Here a link was missing: > https://metacpan.org/diff/file?target=MLEHMANN/AnyEvent-7.15/&source=MLEHMANN%2FAnyEvent-7.14 > > > stunnel's autopkgtest (and everyone else using that API without using a > > DH2048+key since now the API rejects smaller values properly). > > Ok. > > > > > Moving forward: > > > > - apply the patch to libanyevent-perl and be done with it > > > > - tell the stunnel4 testsuite to use 2048bit DH instead the default > > > > value. > > > > > > Is this an alternative or are both steps needed? > > > > Either/or. The last b release of openssl fixes the return code of one > > function. Since that change, setting < 2048bit DH key fails (before that > > it was also failed but with a success return value so everyone assumed > > that it worked). > > > > So either libanyevent-perl changes the default DH key to 2048 (like in > > the patch attached) _or_ someome comes up with perl foo and makes sure > > debian/tests/runtime in the block around line 276 - 295 specifies a dh > > with 2048 bits. My perl foo was enough to narrow it down to that area :) > > > > I *think* that 2048bit DH keys should be default these days and this > > would avoid errors like that in the future. > > Thanks for the clarification. > As roam offered to look into the issue earlier today in the bug log, > I suggest to let him handle the question and fix it either in > stunnel4 or libanyevent-perl (handy to involved in both areas :)) Thanks a lot to both of you for the analysis and the discussion! I've fixed the problem in my Git repository for stunnel4; I shall upload it in a little while after some more testing. I'll try to also change the libanyevent-perl default today. Thanks again, and keep up the great work! G'luck, Peter -- Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} p...@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
signature.asc
Description: PGP signature