** Description changed: When running posttls-finger on focal, it attempts to connect to private/tlsmgr, and unless the program is being run from /var/spool/postfix as root, this fails and posttls-finger disables TLS in the subsequent connection that it makes to the specified SMTP server. If the user doesn't notice the "disabling TLS support" message in the output, they might infer that the test has successfully verified their TLS configuration, when in fact all it has verified is that it can connect to the SMTP server without TLS. The following command shows the problem: root@maimbo:/# posttls-finger mx.dmz.tait.net.nz posttls-finger: warning: connect to private/tlsmgr: No such file or directory posttls-finger: warning: connect to private/tlsmgr: No such file or directory posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory posttls-finger: warning: no entropy for TLS key generation: disabling TLS support posttls-finger: using DANE RR: _25._tcp.mx.dmz.tait.net.nz -> mx.dane.tait.net.nz IN TLSA 3 1 1 19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC posttls-finger: Connected to mx.dmz.tait.net.nz[192.168.20.196]:25 posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu) posttls-finger: > EHLO maimbo.tait.net.nz posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 SMTPUTF8 posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye In contrast, if the same command is run from /var/spool/postfix as root, the output is as follows: root@maimbo:/var/spool/postfix# posttls-finger mx.dmz.tait.net.nz posttls-finger: using DANE RR: _25._tcp.mx.dmz.tait.net.nz -> mx.dane.tait.net.nz IN TLSA 3 1 1 19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC posttls-finger: Connected to mx.dmz.tait.net.nz[192.168.20.196]:25 posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu) posttls-finger: > EHLO maimbo.tait.net.nz posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 SMTPUTF8 posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: depth=0 matched end entity public-key sha256 digest=19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: subjectAltName: mx.tait.net.nz posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25 CommonName mx.tait.net.nz posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: subject_CN=mx.tait.net.nz, issuer_CN=Nick's Domain CA, fingerprint=FD:88:18:3D:9D:33:4C:0B:B8:F9:E8:64:4B:23:D6:05:F1:DB:8D:21, pkey_fingerprint=03:6B:E4:D3:73:82:D5:B4:EB:98:96:BB:56:77:A2:48:C2:73:A0:03 posttls-finger: Verified TLS connection established to mx.dmz.tait.net.nz[192.168.20.196]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 posttls-finger: > EHLO maimbo.tait.net.nz posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ETRN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 SMTPUTF8 posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye - Which of course now includes the "Verified TLS connection - established..." line. + Which of course now includes the "Verified TLS connection established..." + line. + + --- + [SRU] + + [Impact] + In iostat (Focal), when using output option JSON, the values for the number of megabytes written to the device per second (wMB/s) are wrong (they are expressed in blocks/s instead). + + [Test Case] + Using the command "iostat <device> -dmx 1 -o JSON" in one terminal and the same command whithout "-o JSON" in another one, and you'll see that all the values match except wMB/s (<device> can be from lsblk output in case of doubt). + + Results for Focal (VM): + Before (spoiler: 0.23 vs 483.45 wMB/s): + - Non JSON output: https://pastebin.canonical.com/p/vXJ2xQPXW3/ + - JSON output: https://pastebin.canonical.com/p/ncGvCzgHCg/ + + After (spoiler: 0.03 vs 0.03 wMB/s): + - Non JSON output: https://pastebin.canonical.com/p/QhmWBHXCcG/ + - JSON output: https://pastebin.canonical.com/p/XWQtNGHNkP/ + + + PPA with built package with fix for testing: https://launchpad.net/~mirespace/+archive/ubuntu/srus/+packages ( ppa:mirespace/srus ) + + [Where Problems Could Occur] + This patch is cherry picked from upstream, so the bug is corrected in following sysstat package versions, only affects iostat commad. + + If the problem was not noticed by a Focal user could be led to + strangeness if this output is used in custom scripts. + + [Other Info] + Fixed upstream in version 12.3.1, commit id:404eee1417dad8abe6ef49ea6e1469fe6cfdddbe + Commit description: iostat: Fix wrong unit used in JSON output + + The values for the amount of data read/written or discarded were always + expressed in blocks/s in the JSON output generated by iostat. It should + take into account the unit (blocks, kB, MB) selected by the user. + + Bug on upstream: https://github.com/sysstat/sysstat/issues/264 + + [Original Report] + https://bugs.launchpad.net/ubuntu/+source/sysstat/+bug/1888345/comments/0
** Description changed: When running posttls-finger on focal, it attempts to connect to private/tlsmgr, and unless the program is being run from /var/spool/postfix as root, this fails and posttls-finger disables TLS in the subsequent connection that it makes to the specified SMTP server. If the user doesn't notice the "disabling TLS support" message in the output, they might infer that the test has successfully verified their TLS configuration, when in fact all it has verified is that it can connect to the SMTP server without TLS. The following command shows the problem: root@maimbo:/# posttls-finger mx.dmz.tait.net.nz posttls-finger: warning: connect to private/tlsmgr: No such file or directory posttls-finger: warning: connect to private/tlsmgr: No such file or directory posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory posttls-finger: warning: no entropy for TLS key generation: disabling TLS support posttls-finger: using DANE RR: _25._tcp.mx.dmz.tait.net.nz -> mx.dane.tait.net.nz IN TLSA 3 1 1 19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC posttls-finger: Connected to mx.dmz.tait.net.nz[192.168.20.196]:25 posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu) posttls-finger: > EHLO maimbo.tait.net.nz posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 SMTPUTF8 posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye In contrast, if the same command is run from /var/spool/postfix as root, the output is as follows: root@maimbo:/var/spool/postfix# posttls-finger mx.dmz.tait.net.nz posttls-finger: using DANE RR: _25._tcp.mx.dmz.tait.net.nz -> mx.dane.tait.net.nz IN TLSA 3 1 1 19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC posttls-finger: Connected to mx.dmz.tait.net.nz[192.168.20.196]:25 posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu) posttls-finger: > EHLO maimbo.tait.net.nz posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 SMTPUTF8 posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: depth=0 matched end entity public-key sha256 digest=19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: subjectAltName: mx.tait.net.nz posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25 CommonName mx.tait.net.nz posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: subject_CN=mx.tait.net.nz, issuer_CN=Nick's Domain CA, fingerprint=FD:88:18:3D:9D:33:4C:0B:B8:F9:E8:64:4B:23:D6:05:F1:DB:8D:21, pkey_fingerprint=03:6B:E4:D3:73:82:D5:B4:EB:98:96:BB:56:77:A2:48:C2:73:A0:03 posttls-finger: Verified TLS connection established to mx.dmz.tait.net.nz[192.168.20.196]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 posttls-finger: > EHLO maimbo.tait.net.nz posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ETRN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 SMTPUTF8 posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye - Which of course now includes the "Verified TLS connection established..." + Which of course now includes the "Verified TLS connection established..." line. - - --- - [SRU] - - [Impact] - In iostat (Focal), when using output option JSON, the values for the number of megabytes written to the device per second (wMB/s) are wrong (they are expressed in blocks/s instead). - - [Test Case] - Using the command "iostat <device> -dmx 1 -o JSON" in one terminal and the same command whithout "-o JSON" in another one, and you'll see that all the values match except wMB/s (<device> can be from lsblk output in case of doubt). - - Results for Focal (VM): - Before (spoiler: 0.23 vs 483.45 wMB/s): - - Non JSON output: https://pastebin.canonical.com/p/vXJ2xQPXW3/ - - JSON output: https://pastebin.canonical.com/p/ncGvCzgHCg/ - - After (spoiler: 0.03 vs 0.03 wMB/s): - - Non JSON output: https://pastebin.canonical.com/p/QhmWBHXCcG/ - - JSON output: https://pastebin.canonical.com/p/XWQtNGHNkP/ - - - PPA with built package with fix for testing: https://launchpad.net/~mirespace/+archive/ubuntu/srus/+packages ( ppa:mirespace/srus ) - - [Where Problems Could Occur] - This patch is cherry picked from upstream, so the bug is corrected in following sysstat package versions, only affects iostat commad. - - If the problem was not noticed by a Focal user could be led to - strangeness if this output is used in custom scripts. - - [Other Info] - Fixed upstream in version 12.3.1, commit id:404eee1417dad8abe6ef49ea6e1469fe6cfdddbe - Commit description: iostat: Fix wrong unit used in JSON output - - The values for the amount of data read/written or discarded were always - expressed in blocks/s in the JSON output generated by iostat. It should - take into account the unit (blocks, kB, MB) selected by the user. - - Bug on upstream: https://github.com/sysstat/sysstat/issues/264 - - [Original Report] - https://bugs.launchpad.net/ubuntu/+source/sysstat/+bug/1888345/comments/0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885403 Title: posttls-finger fails to connect to private/tlsmgr To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1885403/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
