Hello community,
here is the log from the commit of package python-certbot-nginx for
openSUSE:Factory checked in at 2019-08-28 16:04:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-certbot-nginx (Old)
and /work/SRC/openSUSE:Factory/.python-certbot-nginx.new.7948 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-certbot-nginx"
Wed Aug 28 16:04:43 2019 rev:10 rq:726152 version:0.37.2
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-certbot-nginx/python-certbot-nginx.changes
2019-07-29 17:28:11.994262042 +0200
+++
/work/SRC/openSUSE:Factory/.python-certbot-nginx.new.7948/python-certbot-nginx.changes
2019-08-28 16:04:45.510770949 +0200
@@ -1,0 +2,9 @@
+Mon Aug 26 10:43:03 UTC 2019 - Marketa Calabkova <[email protected]>
+
+- update to version 0.37.2
+ * Follow updated Mozilla recommendations for Nginx ssl_protocols,
+ ssl_ciphers, and ssl_prefer_server_ciphers
+ * Stop disabling TLS session tickets in Nginx as it caused TLS
+ failures on some systems.
+
+-------------------------------------------------------------------
Old:
----
certbot-nginx-0.36.0.tar.gz
New:
----
certbot-nginx-0.37.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-certbot-nginx.spec ++++++
--- /var/tmp/diff_new_pack.TKzoEi/_old 2019-08-28 16:04:46.002770875 +0200
+++ /var/tmp/diff_new_pack.TKzoEi/_new 2019-08-28 16:04:46.002770875 +0200
@@ -18,7 +18,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-certbot-nginx
-Version: 0.36.0
+Version: 0.37.2
Release: 0
Summary: Nginx plugin for Certbot
License: Apache-2.0
++++++ certbot-nginx-0.36.0.tar.gz -> certbot-nginx-0.37.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/certbot-nginx-0.36.0/MANIFEST.in
new/certbot-nginx-0.37.2/MANIFEST.in
--- old/certbot-nginx-0.36.0/MANIFEST.in 2019-07-11 21:12:24.000000000
+0200
+++ new/certbot-nginx-0.37.2/MANIFEST.in 2019-08-21 23:48:40.000000000
+0200
@@ -2,5 +2,4 @@
include README.rst
recursive-include docs *
recursive-include certbot_nginx/tests/testdata *
-include certbot_nginx/options-ssl-nginx.conf
-include certbot_nginx/options-ssl-nginx-old.conf
+recursive-include certbot_nginx/tls_configs *.conf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/certbot-nginx-0.36.0/PKG-INFO
new/certbot-nginx-0.37.2/PKG-INFO
--- old/certbot-nginx-0.36.0/PKG-INFO 2019-07-11 21:12:35.000000000 +0200
+++ new/certbot-nginx-0.37.2/PKG-INFO 2019-08-21 23:48:52.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: certbot-nginx
-Version: 0.36.0
+Version: 0.37.2
Summary: Nginx plugin for Certbot
Home-page: https://github.com/letsencrypt/letsencrypt
Author: Certbot Project
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/certbot-nginx-0.36.0/certbot_nginx/configurator.py
new/certbot-nginx-0.37.2/certbot_nginx/configurator.py
--- old/certbot-nginx-0.36.0/certbot_nginx/configurator.py 2019-07-11
21:12:24.000000000 +0200
+++ new/certbot-nginx-0.37.2/certbot_nginx/configurator.py 2019-08-21
23:48:40.000000000 +0200
@@ -20,7 +20,6 @@
from certbot import errors
from certbot import interfaces
from certbot import util
-from certbot.compat import misc
from certbot.compat import os
from certbot.plugins import common
@@ -128,7 +127,10 @@
config_filename = "options-ssl-nginx.conf"
if self.version < (1, 5, 9):
config_filename = "options-ssl-nginx-old.conf"
- return pkg_resources.resource_filename("certbot_nginx",
config_filename)
+ elif self.version < (1, 13, 0):
+ config_filename = "options-ssl-nginx-tls12-only.conf"
+ return pkg_resources.resource_filename(
+ "certbot_nginx", os.path.join("tls_configs", config_filename))
@property
def mod_ssl_conf(self):
@@ -903,13 +905,9 @@
have permissions of root.
"""
- uid = misc.os_geteuid()
- util.make_or_verify_dir(
- self.config.work_dir, core_constants.CONFIG_DIRS_MODE, uid)
- util.make_or_verify_dir(
- self.config.backup_dir, core_constants.CONFIG_DIRS_MODE, uid)
- util.make_or_verify_dir(
- self.config.config_dir, core_constants.CONFIG_DIRS_MODE, uid)
+ util.make_or_verify_dir(self.config.work_dir,
core_constants.CONFIG_DIRS_MODE)
+ util.make_or_verify_dir(self.config.backup_dir,
core_constants.CONFIG_DIRS_MODE)
+ util.make_or_verify_dir(self.config.config_dir,
core_constants.CONFIG_DIRS_MODE)
def get_version(self):
"""Return version of Nginx Server.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/certbot-nginx-0.36.0/certbot_nginx/constants.py
new/certbot-nginx-0.37.2/certbot_nginx/constants.py
--- old/certbot-nginx-0.36.0/certbot_nginx/constants.py 2019-07-11
21:12:24.000000000 +0200
+++ new/certbot-nginx-0.37.2/certbot_nginx/constants.py 2019-08-21
23:48:40.000000000 +0200
@@ -23,10 +23,19 @@
"""Name of the hash of the updated or informed mod_ssl_conf as saved in
`IConfig.config_dir`."""
SSL_OPTIONS_HASHES_NEW = [
+ '108c4555058a087496a3893aea5d9e1cee0f20a3085d44a52dc1a66522299ac3',
+ 'd5e021706ecdccc7090111b0ae9a29ef61523e927f020e410caf0a1fd7063981',
+]
+"""SHA256 hashes of the contents of versions of MOD_SSL_CONF_SRC for nginx >=
1.13.0"""
+
+SSL_OPTIONS_HASHES_MEDIUM = [
'63e2bddebb174a05c9d8a7cf2adf72f7af04349ba59a1a925fe447f73b2f1abf',
'2901debc7ecbc10917edd9084c05464c9c5930b463677571eaf8c94bffd11ae2',
+ '30baca73ed9a5b0e9a69ea40e30482241d8b1a7343aa79b49dc5d7db0bf53b6c',
+ '02329eb19930af73c54b3632b3165d84571383b8c8c73361df940cb3894dd426',
]
-"""SHA256 hashes of the contents of versions of MOD_SSL_CONF_SRC for nginx >=
1.5.9"""
+"""SHA256 hashes of the contents of versions of MOD_SSL_CONF_SRC for nginx >=
1.5.9
+ and nginx < 1.13.0"""
ALL_SSL_OPTIONS_HASHES = [
'0f81093a1465e3d4eaa8b0c14e77b2a2e93568b0fc1351c2b87893a95f0de87c',
@@ -36,7 +45,8 @@
'394732f2bbe3e5e637c3fb5c6e980a1f1b90b01e2e8d6b7cff41dde16e2a756d',
'4b16fec2bcbcd8a2f3296d886f17f9953ffdcc0af54582452ca1e52f5f776f16',
'c052ffff0ad683f43bffe105f7c606b339536163490930e2632a335c8d191cc4',
-] + SSL_OPTIONS_HASHES_NEW
+ '02329eb19930af73c54b3632b3165d84571383b8c8c73361df940cb3894dd426',
+] + SSL_OPTIONS_HASHES_MEDIUM + SSL_OPTIONS_HASHES_NEW
"""SHA256 hashes of the contents of all versions of MOD_SSL_CONF_SRC"""
def os_constant(key):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/certbot-nginx-0.36.0/certbot_nginx/options-ssl-nginx-old.conf
new/certbot-nginx-0.37.2/certbot_nginx/options-ssl-nginx-old.conf
--- old/certbot-nginx-0.36.0/certbot_nginx/options-ssl-nginx-old.conf
2019-07-11 21:12:24.000000000 +0200
+++ new/certbot-nginx-0.37.2/certbot_nginx/options-ssl-nginx-old.conf
1970-01-01 01:00:00.000000000 +0100
@@ -1,13 +0,0 @@
-# This file contains important security parameters. If you modify this file
-# manually, Certbot will be unable to automatically provide future security
-# updates. Instead, Certbot will print and log an error message with a path to
-# the up-to-date file that you will need to refer to when manually updating
-# this file.
-
-ssl_session_cache shared:le_nginx_SSL:10m;
-ssl_session_timeout 1440m;
-
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_prefer_server_ciphers on;
-
-ssl_ciphers
"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/certbot-nginx-0.36.0/certbot_nginx/options-ssl-nginx.conf
new/certbot-nginx-0.37.2/certbot_nginx/options-ssl-nginx.conf
--- old/certbot-nginx-0.36.0/certbot_nginx/options-ssl-nginx.conf
2019-07-11 21:12:24.000000000 +0200
+++ new/certbot-nginx-0.37.2/certbot_nginx/options-ssl-nginx.conf
1970-01-01 01:00:00.000000000 +0100
@@ -1,14 +0,0 @@
-# This file contains important security parameters. If you modify this file
-# manually, Certbot will be unable to automatically provide future security
-# updates. Instead, Certbot will print and log an error message with a path to
-# the up-to-date file that you will need to refer to when manually updating
-# this file.
-
-ssl_session_cache shared:le_nginx_SSL:10m;
-ssl_session_timeout 1440m;
-ssl_session_tickets off;
-
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_prefer_server_ciphers on;
-
-ssl_ciphers
"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/certbot-nginx-0.36.0/certbot_nginx/tests/configurator_test.py
new/certbot-nginx-0.37.2/certbot_nginx/tests/configurator_test.py
--- old/certbot-nginx-0.36.0/certbot_nginx/tests/configurator_test.py
2019-07-11 21:12:24.000000000 +0200
+++ new/certbot-nginx-0.37.2/certbot_nginx/tests/configurator_test.py
2019-08-21 23:48:40.000000000 +0200
@@ -963,7 +963,29 @@
"Constants.ALL_SSL_OPTIONS_HASHES must be appended"
" with the sha256 hash of self.config.mod_ssl_conf when it is
updated.")
- def test_old_nginx_version_uses_old_config(self):
+ def test_ssl_config_files_hash_in_all_hashes(self):
+ """
+ It is really critical that all TLS Nginx config files have their
SHA256 hash registered in
+ constants.ALL_SSL_OPTIONS_HASHES. Otherwise Certbot will mistakenly
assume that the config
+ file has been manually edited by the user, and will refuse to update
it.
+ This test ensures that all necessary hashes are present.
+ """
+ from certbot_nginx.constants import ALL_SSL_OPTIONS_HASHES
+ import pkg_resources
+ all_files = [
+ pkg_resources.resource_filename("certbot_nginx",
os.path.join("tls_configs", x))
+ for x in ("options-ssl-nginx.conf",
+ "options-ssl-nginx-old.conf",
+ "options-ssl-nginx-tls12-only.conf")
+ ]
+ self.assertTrue(all_files)
+ for one_file in all_files:
+ file_hash = crypto_util.sha256sum(one_file)
+ self.assertTrue(file_hash in ALL_SSL_OPTIONS_HASHES,
+ "Constants.ALL_SSL_OPTIONS_HASHES must be appended
with the sha256 "
+ "hash of {0} when it is updated.".format(one_file))
+
+ def test_nginx_version_uses_correct_config(self):
self.config.version = (1, 5, 8)
self.assertEqual(os.path.basename(self.config.mod_ssl_conf_src),
"options-ssl-nginx-old.conf")
@@ -971,6 +993,11 @@
self._assert_current_file()
self.config.version = (1, 5, 9)
self.assertEqual(os.path.basename(self.config.mod_ssl_conf_src),
+ "options-ssl-nginx-tls12-only.conf")
+ self._call()
+ self._assert_current_file()
+ self.config.version = (1, 13, 0)
+ self.assertEqual(os.path.basename(self.config.mod_ssl_conf_src),
"options-ssl-nginx.conf")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/certbot-nginx-0.36.0/certbot_nginx/tls_configs/options-ssl-nginx-old.conf
new/certbot-nginx-0.37.2/certbot_nginx/tls_configs/options-ssl-nginx-old.conf
---
old/certbot-nginx-0.36.0/certbot_nginx/tls_configs/options-ssl-nginx-old.conf
1970-01-01 01:00:00.000000000 +0100
+++
new/certbot-nginx-0.37.2/certbot_nginx/tls_configs/options-ssl-nginx-old.conf
2019-08-21 23:48:40.000000000 +0200
@@ -0,0 +1,13 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+
+ssl_protocols TLSv1.2;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/certbot-nginx-0.36.0/certbot_nginx/tls_configs/options-ssl-nginx-tls12-only.conf
new/certbot-nginx-0.37.2/certbot_nginx/tls_configs/options-ssl-nginx-tls12-only.conf
---
old/certbot-nginx-0.36.0/certbot_nginx/tls_configs/options-ssl-nginx-tls12-only.conf
1970-01-01 01:00:00.000000000 +0100
+++
new/certbot-nginx-0.37.2/certbot_nginx/tls_configs/options-ssl-nginx-tls12-only.conf
2019-08-21 23:48:40.000000000 +0200
@@ -0,0 +1,13 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+
+ssl_protocols TLSv1.2;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/certbot-nginx-0.36.0/certbot_nginx/tls_configs/options-ssl-nginx.conf
new/certbot-nginx-0.37.2/certbot_nginx/tls_configs/options-ssl-nginx.conf
--- old/certbot-nginx-0.36.0/certbot_nginx/tls_configs/options-ssl-nginx.conf
1970-01-01 01:00:00.000000000 +0100
+++ new/certbot-nginx-0.37.2/certbot_nginx/tls_configs/options-ssl-nginx.conf
2019-08-21 23:48:40.000000000 +0200
@@ -0,0 +1,13 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/certbot-nginx-0.36.0/certbot_nginx.egg-info/PKG-INFO
new/certbot-nginx-0.37.2/certbot_nginx.egg-info/PKG-INFO
--- old/certbot-nginx-0.36.0/certbot_nginx.egg-info/PKG-INFO 2019-07-11
21:12:35.000000000 +0200
+++ new/certbot-nginx-0.37.2/certbot_nginx.egg-info/PKG-INFO 2019-08-21
23:48:52.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: certbot-nginx
-Version: 0.36.0
+Version: 0.37.2
Summary: Nginx plugin for Certbot
Home-page: https://github.com/letsencrypt/letsencrypt
Author: Certbot Project
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/certbot-nginx-0.36.0/certbot_nginx.egg-info/SOURCES.txt
new/certbot-nginx-0.37.2/certbot_nginx.egg-info/SOURCES.txt
--- old/certbot-nginx-0.36.0/certbot_nginx.egg-info/SOURCES.txt 2019-07-11
21:12:35.000000000 +0200
+++ new/certbot-nginx-0.37.2/certbot_nginx.egg-info/SOURCES.txt 2019-08-21
23:48:52.000000000 +0200
@@ -10,8 +10,6 @@
certbot_nginx/http_01.py
certbot_nginx/nginxparser.py
certbot_nginx/obj.py
-certbot_nginx/options-ssl-nginx-old.conf
-certbot_nginx/options-ssl-nginx.conf
certbot_nginx/parser.py
certbot_nginx/parser_obj.py
certbot_nginx.egg-info/PKG-INFO
@@ -60,6 +58,9 @@
certbot_nginx/tests/testdata/etc_nginx/ubuntu_nginx_1_4_6/default_vhost/nginx/win-utf
certbot_nginx/tests/testdata/etc_nginx/ubuntu_nginx_1_4_6/default_vhost/nginx/sites-available/default
certbot_nginx/tests/testdata/etc_nginx/ubuntu_nginx_1_4_6/default_vhost/nginx/sites-enabled/default
+certbot_nginx/tls_configs/options-ssl-nginx-old.conf
+certbot_nginx/tls_configs/options-ssl-nginx-tls12-only.conf
+certbot_nginx/tls_configs/options-ssl-nginx.conf
docs/.gitignore
docs/Makefile
docs/api.rst
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/certbot-nginx-0.36.0/setup.py
new/certbot-nginx-0.37.2/setup.py
--- old/certbot-nginx-0.36.0/setup.py 2019-07-11 21:12:25.000000000 +0200
+++ new/certbot-nginx-0.37.2/setup.py 2019-08-21 23:48:41.000000000 +0200
@@ -4,7 +4,7 @@
import sys
-version = '0.36.0'
+version = '0.37.2'
# Remember to update local-oldest-requirements.txt when changing the minimum
# acme/certbot version.
