[Touch-packages] [Bug 893024] Re: Support 802.1x auth requirement detection and fallback

2016-05-09 Thread dwmw2
Is there an upstream bug/RFE filed for this? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/893024 Title: Support 802.1x auth requirement detection and fallback

[Touch-packages] [Bug 1647285] Re: SSL trust not system-wide

2016-12-08 Thread dwmw2
It does seem that p11-kit-trust.so is working correctly. If I just make a symlink from libnssckbi.so to it, corporate trust installed by update- ca-certificates *does* work in Firefox. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is

[Touch-packages] [Bug 1648634] [NEW] opencryptoki breaks p11-kit

2016-12-08 Thread dwmw2
Public bug reported: When opencryptoki is installed, it creates a symlink from /etc/pkcs11 to /var/lib/opencryptoki, which is readable only by root. This means that anything using p11-kit to find the PKCS#11 modules which are configured to be available in the system (which is basically any

[Touch-packages] [Bug 1648905] [NEW] VPN username and settings not saved

2016-12-09 Thread dwmw2
Public bug reported: The OpenConnect VPN auth-dialog doesn't remember usernames and other settings. See discussion (and fix) in https://bugzilla.redhat.com/show_bug.cgi?id=1332491 ** Affects: network-manager (Ubuntu) Importance: Undecided Status: New -- You received this bug

[Touch-packages] [Bug 1648901] [NEW] SPNEGO crash on mechanism failure

2016-12-09 Thread dwmw2
Public bug reported: Chrome (and other things) crash when Kerberos fails to authenticate: https://bugs.chromium.org/p/chromium/issues/detail?id=554905 This was fixed in MIT krb5 in January: https://github.com/krb5/krb5/pull/385 Thread 22 "Chrome_IOThread" received signal SIGSEGV, Segmentation

[Touch-packages] [Bug 1648905] Re: VPN username and settings not saved

2016-12-14 Thread dwmw2
When do we get a fix for 16.04? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1648905 Title: VPN username and settings not saved Status in network-manager

[Touch-packages] [Bug 1609700] Re: username is not saved in openconnect connection dialog

2016-12-14 Thread dwmw2
This is actually a NetworkManager bug. As noted in bug 1648905 it's fixed upstream by https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=nm-1-2=bb45adeda0bf427ada23b09daf970b0757e82d60 ** Also affects: network-manager (Ubuntu) Importance: Undecided Status: New ** Bug

[Touch-packages] [Bug 1648905] Re: VPN username and settings not saved

2016-12-14 Thread dwmw2
*** This bug is a duplicate of bug 1609700 *** https://bugs.launchpad.net/bugs/1609700 Actually, this is probably a duplicate of bug 1609700 ** This bug has been marked a duplicate of bug 1609700 username is not saved in openconnect connection dialog -- You received this bug

[Touch-packages] [Bug 1648901] Re: SPNEGO crash on mechanism failure

2016-12-17 Thread dwmw2
Sure, I can attempt to test. It needs Kerberos to fail, while another mechanism is possible. So fix up the packaging errors noted in bug 1648898 so that GSS-NTLMSSP is actually registered properly, then just KRB5CCNAME=/dev/null google-chrome $SOME_URL_WHICH_USES_NEGOTIATE_AUTH -- You received

[Touch-packages] [Bug 1648901] Re: SPNEGO crash on mechanism failure

2016-12-17 Thread dwmw2
On 16.04. Apologies, I looked but couldn't see where Launchpad expects me to enter that information. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1648901 Title: SPNEGO

[Touch-packages] [Bug 1648901] Re: SPNEGO crash on mechanism failure

2016-12-17 Thread dwmw2
Reproducer See dwmw2's (reporter of the bug) comment #3 : https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1648901/comments/3 [Regression Potential]  * none expected Y and Z release already has the krb5 upstream patch.  * Debian has the patch as well. [Other Info]  * Upstream fix

[Touch-packages] [Bug 1647285] Re: SSL trust not system-wide

2016-12-12 Thread dwmw2
The Mozilla bugs you link are a bit of a red herring. They refer to an abortive attempt by Mozilla/NSS to have a 'shared system database' in sql:/etc/pki/nssdb. The idea is that applications specify that as their NSS database and although it's obviously read-only, it automatically adds the user's

[Touch-packages] [Bug 893024] Re: Support 802.1x auth requirement detection and fallback

2016-12-08 Thread dwmw2
https://bugzilla.gnome.org/show_bug.cgi?id=723084 ** Bug watch added: GNOME Bug Tracker #723084 https://bugzilla.gnome.org/show_bug.cgi?id=723084 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu.

[Touch-packages] [Bug 1647285] [NEW] SSL trust not system-wide

2016-12-05 Thread dwmw2
Public bug reported: When I install a corporate CA trust root with update-ca-certificates, it doesn't seem to work everywhere. Various things like Firefox, Evolution, Chrome, etc. all fail to trust the newly-installed trusted CA. This ought to work, and does on other distributions. In p11-kit

[Touch-packages] [Bug 1651451] Re: NSS Shared System Database non-functional

2016-12-20 Thread dwmw2
This of course means that even if I wanted to work around bug 1647285 (where apps using NSS don't honour the system SSL trust settings) by manually adding the company certs to /etc/pki/nssdb, applications can't even use *that*... -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1651451] [NEW] NSS Shared System Database non-functional

2016-12-20 Thread dwmw2
Public bug reported: Ubuntu 16.04 appears to ship with libnsssysinit.so configured in /etc/pki/nssdb as it should be, but the library isn't *present*. So when applications such as Evolution attempt to open it, they fail: (evolution:20974): camel-WARNING **: Failed to initialize NSS SQL database

[Touch-packages] [Bug 420411] Re: vpn connection handshake times out too soon

2017-07-25 Thread dwmw2
This appears to still be broken in 16.04. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/420411 Title: vpn connection handshake times out too soon Status in

[Touch-packages] [Bug 1647285] Re: SSL trust not system-wide

2017-07-26 Thread dwmw2
cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180 https://lists.freedesktop.org/archives/p11-glue/2013-June/000331.html ** Bug watch added: Debian Bug tracker #741005 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005

[Touch-packages] [Bug 1647285] Re: SSL trust not system-wide

2017-07-24 Thread dwmw2
I believe we need to update p11-kit to v0.23.4 to make the key pinning work correctly in the recommended configuration, by adding the CKA_NSS_MOZILLA_CA_POLICY attribute. https://bugs.freedesktop.org/show_bug.cgi?id=99453 https://bugzilla.mozilla.org/show_bug.cgi?id=1324096 ** Bug watch added:

[Touch-packages] [Bug 1647285] Re: SSL trust not system-wide

2017-07-24 Thread dwmw2
I believe NSS wants these patches backported from 3.30: https://bugzilla.mozilla.org/show_bug.cgi?id=1334976 Firefox has its own copy of NSS which I think as of Firefox 54 should be fine. Thunderbird also needs fixing, I think. ** Bug watch added: Mozilla Bugzilla #1334976

[Touch-packages] [Bug 666446] Re: NetworkManager VPN should offer an option to use *only* VPN nameservers

2018-03-09 Thread dwmw2
I don't think this should be considered a 'feature request'. If you have a full-tunnel VPN, your employer will *expect* all your network traffic to go via the VPN as if you were dialled directly into the corporate network. Allowing some of the DNS traffic to "escape" to be seen by potentially

[Touch-packages] [Bug 1754671] [NEW] Full-tunnel VPN DNS leakage regression

2018-03-09 Thread dwmw2
*** This bug is a security vulnerability *** Public security bug reported: In 16.04 the NetworkManager package used to carry this patch: http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/Filter-DNS-servers-to-add-to-dnsmasq-based-on-availa.patch It

[Touch-packages] [Bug 1647285] Re: SSL trust not system-wide

2018-04-25 Thread dwmw2
Any progress on fixing this? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to p11-kit in Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide Status in ca-certificates package in Ubuntu:

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2018-03-20 Thread dwmw2
This is CVE-2018-1000135. For some reason the 'Link to CVE' option above doesn't seem to work. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000135 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2018-1000135 -- You received this bug notification because you are a

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-03-11 Thread dwmw2
@seb128 please see "In 16.04 the NetworkManager package used to carry this patch..." in the bug description above. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu.

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-03-08 Thread dwmw2
Is there a 16.04 package? This was a regression there caused by an earlier update. I have users reporting the same bizarre behaviour I wasn't able to clearly describe before — essentially, DNS being sent out seemingly random interfaces (sometimes VPN, sometimes local). My advice to just install

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-02-04 Thread dwmw2
network-manager-1.10.14-0ubuntu1 does seem to fix the DNS problem here; thanks. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-02-04 Thread dwmw2
Hm, that didn't last long. Now it isn't looking up *anything* in the VPN domains. It's all going to the local VPN server. I don't know what changed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu.

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-02-04 Thread dwmw2
Not sure what happened there. It was looking up *some* names in the $COMPANY.com domain on the VPN, but others not, consistently. I couldn't see a pattern. I have manually set ipv4.dns-search="~." and ipv4.dns-priority=-1 and now it does seem to be behaving. However, this shouldn't be necessary.

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-05-15 Thread dwmw2
I am receiving reports that it isn't fixed in 18.04 either. Users are still seeing DNS lookups on the local network, until they manually edit the VPN config to include: [ipv4] dns-priority=-1 dns-search=~.; I thought that wasn't going to be necessary? -- You received this bug notification

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-05-15 Thread dwmw2
These systems are using dnsmasq not systemd-resolver. This was done for historical reasons; I'm not sure of the specific bug which caused that choice. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu.

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-05-27 Thread dwmw2
Till, you want that for the case where dnsmasq is being used and is misbehaving? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-05-27 Thread dwmw2
And (in case any of my colleagues are paying attention and inclined to do it before the next time I get to spend any real time in front of a computer, next week), without the dns-priority and dns-search settings that made it work again after the recent NM update. -- You received this bug

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-06-04 Thread dwmw2
@ddstreet We don't use systemd-resolver here. It's fairly trivial to set up a VPN service; the openconnect 'make check' uses ocserv automatically, for example. You shouldn't have difficulty reproducing this locally. -- You received this bug notification because you are a member of Ubuntu Touch

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-05-22 Thread dwmw2
We aren't using systemd-resolver for various historical reasons; we are using dnsmasq which should be expected to work. It isn't, but we have manually added the dns-priority=-1;dns-search=~. settings which make it work, as an emergency deployment when the latest NM update broke things for

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-05-22 Thread dwmw2
This is Bionic. After last week's update to 1.10.14-0ubuntu2 all my VPN users (who are using dnsmasq) reported that DNS supported working for them while they were on the VPN. Some internal names were looked up correctly, others weren't. I resolved it for them as follows: $ sudo nmcli con modify

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-05-22 Thread dwmw2
On the 1.10.14 regression simply making those dns-priority/dns- search settings the *default* behaviour for a full-tunnel VPN would appear to be the correct thing to do (i.e. use the DNS of a full-tunnel VPN for *all* lookups), and I think it should resolve the problems people were seeing. --

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-05-22 Thread dwmw2
On the switch to using dnsmasq: that decision predates my tenure so I have limited visibility. I can try to get our IT team to expend effort in moving to systemd-resolved and see what breaks. It may even be completely unnecessary in xenial, and is merely inherited to make our bionic setups less

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-05-22 Thread dwmw2
Dammit, "completely unnecessary in bionic but inherited from xenial"... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-08-19 Thread dwmw2
Any word on when this CVE will be fixed? In the meantime I have put the 1.10.14-0ubuntu2 package into an apt repository at http://david.woodhou.se/cve-2018-1000135/ for users who need it. I couldn't work out how to copy it into a PPA without rebuilding it. In the short term can someone please at

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-08-21 Thread dwmw2
I have worked out the problem with the new NetworkManager which required me to set ipv4.dns-priority=-1 (which, in turn, messes things up for those with fresh installs that don't get the new NetworkManager). The new NM sets ipv4.dns-search=~. automatically for full-tunnel VPNs but it doesn't also

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-07-18 Thread dwmw2
Do we have any idea when this will be fixed? Most of my users used to get away with the DNS leakage and it was "only" a security problem but stuff actually worked. Then the NM and other updates were shipped, we set ipv4.dns-priority=-1 and ipv4.dns-search=~. and it all worked fine. Then the NM

[Touch-packages] [Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

2019-07-18 Thread dwmw2
> That's weird, do you understand why? The update was deleted so you should be > back to initial > situation, we had no change to the previous package build Other package changes? Certainly systemd-resolver although we don't use that (because of a previous VPN DNS leak problem) we use dnsmasq.

[Touch-packages] [Bug 1647285] Re: SSL trust not system-wide

2019-10-29 Thread dwmw2
@kvasko yes, it works here. Are you sure that's the version of libnssckbi.so that is being used? There are lots; I've replaced them all... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.

[Touch-packages] [Bug 1838838] Re: username is not saved in openconnect connection dialog

2020-01-13 Thread dwmw2
** Package changed: network-manager-openconnect (Ubuntu) => gnome-shell (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1838838 Title: username is not

[Touch-packages] [Bug 1609700]

2020-01-13 Thread dwmw2
Now https://gitlab.gnome.org/GNOME/gnome-shell/issues/2105 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1609700 Title: username is not saved in openconnect

[Touch-packages] [Bug 1609700]

2020-01-13 Thread dwmw2
That build seems not to fix it. I tried to build locally to bisect, but can't seem to get the local build to work at all. May have to leave this to the NM maintainers. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to

[Touch-packages] [Bug 1838838] Re: username is not saved in openconnect connection dialog

2020-01-08 Thread dwmw2
** Package changed: network-manager-openconnect (Ubuntu) => network- manager (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1838838 Title: username is

[Touch-packages] [Bug 1609700]

2020-01-13 Thread dwmw2
*** Bug 1705711 has been marked as a duplicate of this bug. *** -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1609700 Title: username is not saved in openconnect

[Touch-packages] [Bug 1609700]

2020-01-13 Thread dwmw2
According to https://bugs.launchpad.net/bugs/1609700 this bug has reoccurred in f30. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1609700 Title: username is not

[Touch-packages] [Bug 1609700]

2020-01-13 Thread dwmw2
I wonder if this regression is caused by https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=009f7560867e939 ? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu.

[Touch-packages] [Bug 1609700]

2020-01-13 Thread dwmw2
Please test the Fedora 30 build with that commit reverted, at https://koji.fedoraproject.org/koji/taskinfo?taskID=36857342 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu.

[Touch-packages] [Bug 1838838] Re: username is not saved in openconnect connection dialog

2020-01-08 Thread dwmw2
I moved it to NetworkManager because that's where the regression is. There's not a lot we can do about it in NetworkManager-openconnect. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu.

Re: [Touch-packages] [Bug 1647285] Re: SSL trust not system-wide

2020-03-19 Thread dwmw2
On Thu, 2020-03-19 at 09:44 +, Olivier Tilloy wrote: > It looks like symlinking firefox and thunderbird's own copies of > libnssckbi.so to the system-wide p11-kit-trust.so is the proper way to > fix this bug, as far as Mozilla's products are concerned. > > Before I proceed to doing this, I'd