On Sat 2018-08-25 20:10:36 +0200, Kurt Roeckx wrote: > The problem is: >> Generating a 1024 bit RSA private key > > Which then later results in: >> lua: server.lua:19: error loading certificate (ee key too small) > > We've changed the default in Debian to require 2048 bit keys.
thanks for the pointer! I've just uploaded an NMU for this, and i've taken the opportunity to to a bit of simple packaging cleanup to reduce the number of pedantic lintian warnings a bit at least, and to point to the latest upstream repository as well. the NMU uses the attached patches, which i'll push to salsa as well shortly. --dkg
From c442b9a28ba78241d4da5f051529e1d87141b00b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Thu, 30 Aug 2018 14:46:25 -0400 Subject: [PATCH 1/7] point Vcs-* to salsa --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 4bc9c45..bffd2b1 100644 --- a/debian/control +++ b/debian/control @@ -10,8 +10,8 @@ Build-Depends: debhelper (>= 8.1.3), openssl Standards-Version: 3.9.6 Homepage: https://github.com/brunoos/luasec -Vcs-Git: git://git.debian.org/git/pkg-lua/lua-sec.git -Vcs-Browser: http://git.debian.org/?p=pkg-lua/lua-sec.git +Vcs-Git: https://salsa.debian.org/lua-team/lua-sec.git +Vcs-Browser: https://salsa.debian.org/lua-team/lua-sec Package: lua-sec Architecture: any -- 2.18.0
From 16d8759e90ac04afddd7dd5c7ee86fdb530cf0d1 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Thu, 30 Aug 2018 14:54:49 -0400 Subject: [PATCH 2/7] use 2048-bit keys in test suite (Closes: #906997) --- debian/patches/0010-use-2048-bit-keys.patch | 279 ++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 280 insertions(+) create mode 100644 debian/patches/0010-use-2048-bit-keys.patch diff --git a/debian/patches/0010-use-2048-bit-keys.patch b/debian/patches/0010-use-2048-bit-keys.patch new file mode 100644 index 0000000..7e99e7c --- /dev/null +++ b/debian/patches/0010-use-2048-bit-keys.patch @@ -0,0 +1,279 @@ +From: Daniel Kahn Gillmor <d...@fifthhorseman.net> +Date: Thu, 30 Aug 2018 14:53:01 -0400 +Subject: use 2048-bit keys + +According to Kurt Roeckx in https://bugs.debian.org/906997, the test +suite is failing when built against libssl 1.1.1 because we require at +least 2048-bit keys. + +this should address that issue. +--- + samples/certs/clientA.bat | 2 +- + samples/certs/clientA.cnf | 2 +- + samples/certs/clientA.sh | 2 +- + samples/certs/clientB.bat | 2 +- + samples/certs/clientB.cnf | 2 +- + samples/certs/clientB.sh | 2 +- + samples/certs/rootA.bat | 2 +- + samples/certs/rootA.cnf | 2 +- + samples/certs/rootA.sh | 2 +- + samples/certs/rootB.bat | 2 +- + samples/certs/rootB.cnf | 2 +- + samples/certs/rootB.sh | 2 +- + samples/certs/serverA.bat | 2 +- + samples/certs/serverA.cnf | 2 +- + samples/certs/serverA.sh | 2 +- + samples/certs/serverB.bat | 2 +- + samples/certs/serverB.cnf | 2 +- + samples/certs/serverB.sh | 2 +- + samples/dhparam/params.sh | 2 +- + samples/dhparam/server.lua | 4 ++-- + 20 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/samples/certs/clientA.bat b/samples/certs/clientA.bat +index 112cdef..ddde0e4 100644 +--- a/samples/certs/clientA.bat ++++ b/samples/certs/clientA.bat +@@ -1,6 +1,6 @@ + rem #!/bin/sh + +-openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch ++openssl req -newkey rsa:2048 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch + + openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365 + +diff --git a/samples/certs/clientA.cnf b/samples/certs/clientA.cnf +index f938d90..3c6a6fe 100644 +--- a/samples/certs/clientA.cnf ++++ b/samples/certs/clientA.cnf +@@ -98,7 +98,7 @@ emailAddress = optional + + #################################################################### + [ req ] +-default_bits = 1024 ++default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +diff --git a/samples/certs/clientA.sh b/samples/certs/clientA.sh +index 0350ede..363230b 100755 +--- a/samples/certs/clientA.sh ++++ b/samples/certs/clientA.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + +-openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \ ++openssl req -newkey rsa:2048 -sha1 -keyout clientAkey.pem -out clientAreq.pem \ + -nodes -config ./clientA.cnf -days 365 -batch + + openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \ +diff --git a/samples/certs/clientB.bat b/samples/certs/clientB.bat +index 9f341f6..1da9677 100644 +--- a/samples/certs/clientB.bat ++++ b/samples/certs/clientB.bat +@@ -1,6 +1,6 @@ + rem #!/bin/sh + +-openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch ++openssl req -newkey rsa:2048 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch + + openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365 + +diff --git a/samples/certs/clientB.cnf b/samples/certs/clientB.cnf +index 40405d1..17790d6 100644 +--- a/samples/certs/clientB.cnf ++++ b/samples/certs/clientB.cnf +@@ -98,7 +98,7 @@ emailAddress = optional + + #################################################################### + [ req ] +-default_bits = 1024 ++default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +diff --git a/samples/certs/clientB.sh b/samples/certs/clientB.sh +index 94f8986..3175fac 100755 +--- a/samples/certs/clientB.sh ++++ b/samples/certs/clientB.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + +-openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \ ++openssl req -newkey rsa:2048 -sha1 -keyout clientBkey.pem -out clientBreq.pem \ + -nodes -config ./clientB.cnf -days 365 -batch + + openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \ +diff --git a/samples/certs/rootA.bat b/samples/certs/rootA.bat +index 6449bfa..8588d05 100644 +--- a/samples/certs/rootA.bat ++++ b/samples/certs/rootA.bat +@@ -1,6 +1,6 @@ + REM #!/bin/sh + +-openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch ++openssl req -newkey rsa:2048 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch + + openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365 + +diff --git a/samples/certs/rootA.cnf b/samples/certs/rootA.cnf +index a16a6de..28f4b6b 100644 +--- a/samples/certs/rootA.cnf ++++ b/samples/certs/rootA.cnf +@@ -98,7 +98,7 @@ emailAddress = optional + + #################################################################### + [ req ] +-default_bits = 1024 ++default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +diff --git a/samples/certs/rootA.sh b/samples/certs/rootA.sh +index 7b588bf..2125df8 100755 +--- a/samples/certs/rootA.sh ++++ b/samples/certs/rootA.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + +-openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch ++openssl req -newkey rsa:2048 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch + + openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365 + +diff --git a/samples/certs/rootB.bat b/samples/certs/rootB.bat +index 99f358a..8c5f5ae 100644 +--- a/samples/certs/rootB.bat ++++ b/samples/certs/rootB.bat +@@ -1,6 +1,6 @@ + rem #!/bin/sh + +-openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch ++openssl req -newkey rsa:2048 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch + + openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365 + +diff --git a/samples/certs/rootB.cnf b/samples/certs/rootB.cnf +index 3627abc..b9d63ec 100644 +--- a/samples/certs/rootB.cnf ++++ b/samples/certs/rootB.cnf +@@ -98,7 +98,7 @@ emailAddress = optional + + #################################################################### + [ req ] +-default_bits = 1024 ++default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +diff --git a/samples/certs/rootB.sh b/samples/certs/rootB.sh +index 53969b3..a2e1a03 100755 +--- a/samples/certs/rootB.sh ++++ b/samples/certs/rootB.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + +-openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch ++openssl req -newkey rsa:2048 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch + + openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365 + +diff --git a/samples/certs/serverA.bat b/samples/certs/serverA.bat +index 78934d5..b630db3 100644 +--- a/samples/certs/serverA.bat ++++ b/samples/certs/serverA.bat +@@ -1,6 +1,6 @@ + rem #!/bin/sh + +-openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch ++openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch + + openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365 + +diff --git a/samples/certs/serverA.cnf b/samples/certs/serverA.cnf +index b8d18fc..036ea77 100644 +--- a/samples/certs/serverA.cnf ++++ b/samples/certs/serverA.cnf +@@ -98,7 +98,7 @@ emailAddress = optional + + #################################################################### + [ req ] +-default_bits = 1024 ++default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +diff --git a/samples/certs/serverA.sh b/samples/certs/serverA.sh +index 7fa04e0..15446e6 100755 +--- a/samples/certs/serverA.sh ++++ b/samples/certs/serverA.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + +-openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \ ++openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \ + -config ./serverA.cnf -nodes -days 365 -batch + + openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \ +diff --git a/samples/certs/serverB.bat b/samples/certs/serverB.bat +index 294be57..2ed5ea1 100644 +--- a/samples/certs/serverB.bat ++++ b/samples/certs/serverB.bat +@@ -1,6 +1,6 @@ + rem #!/bin/sh + +-openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch ++openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch + + openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365 + +diff --git a/samples/certs/serverB.cnf b/samples/certs/serverB.cnf +index 344c140..507c94f 100644 +--- a/samples/certs/serverB.cnf ++++ b/samples/certs/serverB.cnf +@@ -98,7 +98,7 @@ emailAddress = optional + + #################################################################### + [ req ] +-default_bits = 1024 ++default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +diff --git a/samples/certs/serverB.sh b/samples/certs/serverB.sh +index c75b00a..e66f5b5 100755 +--- a/samples/certs/serverB.sh ++++ b/samples/certs/serverB.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + +-openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \ ++openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \ + -config ./serverB.cnf -nodes -days 365 -batch + + openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \ +diff --git a/samples/dhparam/params.sh b/samples/dhparam/params.sh +index 8e4f031..d8f46d1 100755 +--- a/samples/dhparam/params.sh ++++ b/samples/dhparam/params.sh +@@ -1,4 +1,4 @@ + #!/bin/sh + + openssl dhparam -2 -out dh-512.pem -outform PEM 512 +-openssl dhparam -2 -out dh-1024.pem -outform PEM 1024 ++openssl dhparam -2 -out dh-2048.pem -outform PEM 2048 +diff --git a/samples/dhparam/server.lua b/samples/dhparam/server.lua +index 37661d5..2585ddc 100644 +--- a/samples/dhparam/server.lua ++++ b/samples/dhparam/server.lua +@@ -20,8 +20,8 @@ local function dhparam_cb(export, keylength) + local filename + if keylength == 512 then + filename = "dh-512.pem" +- elseif keylength == 1024 then +- filename = "dh-1024.pem" ++ elseif keylength == 2048 then ++ filename = "dh-2048.pem" + else + -- No key + return nil diff --git a/debian/patches/series b/debian/patches/series index 2bb89ba..b5ab8af 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ 0007-Use-X509_EXTENSION_get_object-to-get-the-object-fiel.patch 0008-Use-EVP_PKEY_base_id-to-recover-the-key-s-type.patch 0009-Compatibility-with-OpenSSL-1.1.0.patch +0010-use-2048-bit-keys.patch -- 2.18.0
From 69dcfee6c405b7993ed5ab6b95f60d816e5aea02 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Thu, 30 Aug 2018 14:57:50 -0400 Subject: [PATCH 3/7] gbp: use upstream git tags --- debian/gbp.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 debian/gbp.conf diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..13ffc20 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +upstream-tag = luasec-%(version)s -- 2.18.0
From 69da67b635ea79d7fd59534693427d7243186516 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Thu, 30 Aug 2018 15:03:12 -0400 Subject: [PATCH 4/7] d/copyright: use https form of Format URI --- debian/copyright | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/copyright b/debian/copyright index 83532bb..e387b99 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: luasec Upstream-Contact: Bruno Silvestre <bruno.silves...@gmail.com> Source: https://github.com/brunoos/luasec.git -- 2.18.0
From 25292b6e082307d8daf0b658d202d2bb2fbd53e9 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Thu, 30 Aug 2018 15:03:58 -0400 Subject: [PATCH 5/7] d/changelog: strip trailing whitespace --- debian/changelog | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/debian/changelog b/debian/changelog index e996a49..7033d34 100644 --- a/debian/changelog +++ b/debian/changelog @@ -39,13 +39,13 @@ lua-sec (0.5.1-1) unstable; urgency=medium lua-sec (0.5-3) unstable; urgency=medium * Cherry pick upstream 67f0867 to fix FTBFS after SSLv3 support - was removed from opanssl (Closes: #804607) + was removed from opanssl (Closes: #804607) -- Enrico Tassi <gareuselesi...@debian.org> Sun, 15 Nov 2015 19:28:23 +0100 lua-sec (0.5-2) unstable; urgency=medium - * Do not Pre-Depend on multiarch-support + * Do not Pre-Depend on multiarch-support * Bump standards version, no change * Update Homepage URL (Close: #775315) @@ -53,24 +53,24 @@ lua-sec (0.5-2) unstable; urgency=medium lua-sec (0.5-1) unstable; urgency=medium - * New upstream release + * New upstream release * Bump Standards-Version to 3.9.5, no changes - * Copyright updated and ported to format 1.0 + * Copyright updated and ported to format 1.0 -- Enrico Tassi <gareuselesi...@debian.org> Sat, 01 Feb 2014 14:21:36 +0100 lua-sec (0.4.1+git063e8a8-2) unstable; urgency=low * Bundle all C modules into a single ssl.so module, as the upstream - suggested + suggested * Fix lua-sec.h listing all luaopen_ssl_xxx available - * Remove last bits of transitional packages + * Remove last bits of transitional packages -- Enrico Tassi <gareuselesi...@debian.org> Wed, 21 Aug 2013 09:10:18 +0200 lua-sec (0.4.1+git063e8a8-1) unstable; urgency=low - * New upstream snaphost for luasocket 3.0 + * New upstream snaphost for luasocket 3.0 -- Enrico Tassi <gareuselesi...@debian.org> Mon, 25 Jun 2012 20:44:04 +0200 @@ -92,7 +92,7 @@ lua-sec (0.4-7) unstable; urgency=low * Switch to dh-lua * Packages renamed according to the new Lua policy * debian/compat set to 8 - * Bumped standards-version to 3.9.3, no changes + * Bumped standards-version to 3.9.3, no changes -- Enrico Tassi <gareuselesi...@debian.org> Sun, 06 May 2012 17:25:36 +0200 @@ -113,7 +113,7 @@ lua-sec (0.4-4) unstable; urgency=low * bumped standards-version to 3.9.2, no changes * multi-arch compliant (dh >= 8.1.3, lua5.1-policy >= 32) * mention in debian/copyright the copyright holders for https.lua, thanks - Barry deFreese for spotting that + Barry deFreese for spotting that -- Enrico Tassi <gareuselesi...@debian.org> Thu, 21 Jul 2011 00:50:48 +0200 @@ -134,7 +134,7 @@ lua-sec (0.4-1) unstable; urgency=low * new upstream release: main addition is the https.lua module * added README.source mentioning dpatch default doc - * bumped standards-version to 3.8.3 + * bumped standards-version to 3.8.3 -- Enrico Tassi <gareuselesi...@debian.org> Sun, 01 Nov 2009 10:52:38 +0100 -- 2.18.0
From 11c03d45e05016b9c1c0f8aaf695422495608348 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Thu, 30 Aug 2018 15:07:24 -0400 Subject: [PATCH 6/7] debian/watch: use github tags --- debian/watch | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/debian/watch b/debian/watch index 2d0d2d5..3141281 100644 --- a/debian/watch +++ b/debian/watch @@ -1,5 +1,2 @@ -# test this watch file using: -# uscan --watchfile debian/watch --upstream-version 0.0.1 --package lua-sec -# -version=3 -http://www.inf.puc-rio.br/~brunoos/luasec/ download/luasec-([\d\.]*).tar.gz +version=4 +https://github.com/brunoos/luasec/tags (?:.*?/)?luasec-(\d[\d.]*)\.tar\.gz -- 2.18.0
From 0cafd527ea2850c3f1d8b7c6ccd291e12f68745f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Thu, 30 Aug 2018 15:15:52 -0400 Subject: [PATCH 7/7] prepare non-maintainer upload --- debian/changelog | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/debian/changelog b/debian/changelog index 7033d34..284b478 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +lua-sec (0.6-4.1) unstable; urgency=medium + + * Non-maintainer upload. + * use 2048-bit keys in test suite (Closes: #906997) + * point Vcs-* to salsa + * gbp: use upstream git tags + * debian/copyright: use https form of Format URI + * debian/changelog: strip trailing whitespace + * debian/watch: use github tags + + -- Daniel Kahn Gillmor <d...@fifthhorseman.net> Thu, 30 Aug 2018 15:13:38 -0400 + lua-sec (0.6-4) unstable; urgency=medium * Team upload. -- 2.18.0
signature.asc
Description: PGP signature