Bug#898969: dnssec-trigger: fails with OpenSSL 1.1.1 due to too-small key
On Mon, 2018-10-01 at 22:42 -0700, Diane Trout wrote: > Could you go into a bit more detail about how dnssec-triggerd-keygen > isn't working for you? As mentioned in the initial mail in the bug by brian m. carlson, it creates the keys in /etc, not in /etc/dnssec-trigger and the latter is where dnssec-triggerd looks for the keys. > Because currently the easiest answer I can think of for this is to > delete the keys and restart the daemons on upgrade. That seems like the reasonable thing to do as long as the code for this checks that the keys are long enough for the new openssl. It should probably also add a trigger on the openssl files, so that merely upgrading openssl to the new version does the delete and restart. > Also I'm a bit surprised the panel is working. I guess this means > you're using something that is not gnome. I am using GNOME. The panel item was *not* working and thus generating the errors in the dnssec-triggerd logs. This is because after the key was replaced and the daemon restarted, it didn't reload the key from disk and use the new one instead of the old one. So the panel needs to handle a daemon restart (I assume it gets notification of that event) by reloading the key before connecting to the newly restarted daemon. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#898969: dnssec-trigger: fails with OpenSSL 1.1.1 due to too-small key
On Mon, 01 Oct 2018 22:42:52 -0700 Diane Trout wrote: > Also I'm a bit surprised the panel is working. I guess this means > you're using something that is not gnome. Ah, maybe you're referring to GNOME getting rid of the system-tray stuff, I'm using a GNOME shell extension to restore that functionality. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#898969: dnssec-trigger: fails with OpenSSL 1.1.1 due to too-small key
On Mon, 2018-09-17 at 09:55 +0800, Paul Wise wrote: > Package: dnssec-trigger > Version: 0.15+repack-1 > Followup-For: Bug #898969 > Control: retitle -1 dnssec-trigger: fails with OpenSSL 1.1.1 due to > too-small key and unknown ca > Control: severity -1 serious > > If I delete the existing keys and recreate them with dnssec-trigger- > control-setup (since dnssec-triggerd-keygen is broken) and restart > dnssec-triggerd, I get an error repeating over and over again: Could you go into a bit more detail about how dnssec-triggerd-keygen isn't working for you? Because currently the easiest answer I can think of for this is to delete the keys and restart the daemons on upgrade. Also I'm a bit surprised the panel is working. I guess this means you're using something that is not gnome. signature.asc Description: This is a digitally signed message part
Bug#898969: dnssec-trigger: fails with OpenSSL 1.1.1 due to too-small key
Package: dnssec-trigger Version: 0.15+repack-1 Followup-For: Bug #898969 Control: retitle -1 dnssec-trigger: fails with OpenSSL 1.1.1 due to too-small key and unknown ca Control: severity -1 serious If I delete the existing keys and recreate them with dnssec-trigger- control-setup (since dnssec-triggerd-keygen is broken) and restart dnssec-triggerd, I get an error repeating over and over again: error: remote control failed ssl crypto error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca I realised this is because of my existing dnssec-trigger-panel process. I also noticed that the unbound TLS key is also insecure and needs to be replaced too otherwise dnssec-triggerd cannot control unbound to add forwarders and make other changes. -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dnssec-trigger depends on: ii gir1.2-nm-1.0 1.12.2-3 ii libc6 2.27-6 ii libgdk-pixbuf2.0-0 2.36.12-2 ii libglib2.0-02.58.0-3 ii libgtk2.0-0 2.24.32-3 ii libldns21.7.0-3+b2 ii libssl1.1 1.1.1-1 ii python3 3.6.5-3 ii python3-gi 3.28.3-1 ii python3-lockfile1:0.12.2-2 ii unbound 1.7.3-1 dnssec-trigger recommends no packages. dnssec-trigger suggests no packages. -- no debconf information -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part