Wizzup | freemangordon: what is the offending version? | 07:12 |
---|---|---|
freemangordon | Wizzup: 1.1.1n-0+deb10u1 | 08:12 |
Wizzup | freemangordon: ok | 09:14 |
freemangordon | building openssl on PP ATM | 09:16 |
freemangordon | will debug that | 09:16 |
Wizzup | ok | 09:20 |
Wizzup | maybe we can just check the changelog? | 09:20 |
Wizzup | is it certs or openssl patches? | 09:20 |
freemangordon | it is openssl, not certs | 09:22 |
freemangordon | I suspect this https://github.com/openssl/openssl/commit/8979ffee95043baffa51887b1d43d9b07f9fae1b | 09:22 |
freemangordon | or this https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/statem/statem_srvr.c#L2572 | 09:23 |
freemangordon | but better debug it | 09:24 |
freemangordon | also, it is weird that we hit the bug on arm only | 09:24 |
Wizzup | right | 09:35 |
freemangordon | Wizzup: here https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/statem/statem_clnt.c#L2340 | 09:53 |
freemangordon | tls1_get_legacy_sigalg (whatever it is) fails | 09:56 |
freemangordon | Wizzup: ssl_get_security_level_bits returns 112 on ARM64 and 80 on amd64 | 13:17 |
freemangordon | Wizzup: on ARM SSL_get_security_level returns 2, on x86 - 1 | 13:21 |
freemangordon | any clue why? | 13:21 |
norayr | very interesting | 13:51 |
freemangordon | it seems the actual bug is in x86 lib, it seems to ignore /etc/ssl/openssl.cnf | 13:53 |
norayr | since we use debian's ssl, didn't anyone noticed already that this version causes problems? | 13:55 |
freemangordon | well, it was pushed 2 weeks ago | 13:56 |
freemangordon | also, I am still not sure the problem is in openssl itself | 13:56 |
Wizzup | freemangordon: hrm, we might need to file that with debian | 14:09 |
freemangordon | ok, I am officially confused: fopen("/usr/lib/ssl/openssl.cnf", "rb"); fails with errno==13 in my VM | 14:09 |
Wizzup | eaccess | 14:10 |
freemangordon | yes | 14:10 |
Wizzup | what are the privs of hte full path | 14:10 |
freemangordon | but I can cat that file with no issue | 14:10 |
Wizzup | e.g. /usr/lib/ssl | 14:10 |
freemangordon | fine: | 14:10 |
Wizzup | world executable? | 14:10 |
freemangordon | lrwxrwxrwx 1 root root 20 Mar 18 20:41 /usr/lib/ssl/openssl.cnf -> /etc/ssl/openssl.cnf | 14:10 |
Wizzup | what about /etc/ssl/openssl.cnf ? | 14:10 |
freemangordon | -rw-r--r-- 1 root root 11118 Oct 12 2019 /etc/ssl/openssl.cnf | 14:10 |
freemangordon | exactly the same on pinephone | 14:11 |
freemangordon | besides the date | 14:11 |
freemangordon | -rw-r--r-- 1 root root 11118 Aug 24 2021 /etc/ssl/openssl.cnf | 14:11 |
Wizzup | what about /etc/ssl? | 14:11 |
freemangordon | this is pinephone | 14:11 |
Wizzup | the dir | 14:11 |
freemangordon | mhm | 14:12 |
freemangordon | drwxr-xr-x 4 root root 4096 Apr 15 12:29 . | 14:12 |
freemangordon | in VM | 14:12 |
freemangordon | drwxr-xr-x 4 root root 4096 Apr 22 12:00 . | 14:12 |
freemangordon | in PP | 14:12 |
Wizzup | you can also do ls -lshd /etc/ssl fwiw | 14:12 |
Wizzup | ok | 14:13 |
Wizzup | I need to go and get my lost bag (with the n900 serial!) | 14:13 |
Wizzup | bbl | 14:13 |
freemangordon | ok | 14:13 |
freemangordon | PP: 4.0K drwxr-xr-x 4 root root 4.0K Apr 22 12:00 /etc/ssl | 14:13 |
freemangordon | VM: 4.0K drwxr-xr-x 4 root root 4.0K Apr 15 12:29 /etc/ssl | 14:13 |
freemangordon | the same | 14:13 |
freemangordon | maybe FS issue | 14:14 |
Wizzup | seems very weird | 14:14 |
freemangordon | mhm | 14:14 |
freemangordon | this is crazy!!! | 14:19 |
freemangordon | strace: openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = -1 EACCES (Permission denied) | 14:56 |
freemangordon | ok, getting even more strange - if I run telepathy-gabble through valgrind on VM, I can recreate the issue | 15:21 |
freemangordon | WTF is going on? | 15:21 |
freemangordon | umm: [ 2258.304349] EXT4-fs error (device sda1): ext4_lookup:1619: inode #303423: comm find: iget: checksum invalid | 15:28 |
freemangordon | ugh: | 15:36 |
freemangordon | audit: type=1400 audit(1650720903.508:17): apparmor="DENIED" operation="open" profile="/usr/lib/telepathy/telepathy-*" name="/etc/ssl/openssl.cnf" pid=3925 comm="telepathy-gabbl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 | 15:36 |
freemangordon | ok, for some reason I have apparmor installed and it prevents access to openssl.cnf | 15:44 |
sixwheeledbeast | aa-logprof ? | 16:04 |
freemangordon | apt-get remove --purge apparmor :) | 16:04 |
norayr | folks, i booted leste on droid, and got info about april update. | 16:07 |
norayr | at the end of the text it recommends to remove old zram cotfiguration | 16:07 |
norayr | with rc-update del zram atd then on the same line, rm /etc/init.d/zram | 16:08 |
norayr | So i was wondering (btw now i write from leste's pidgin) should i run those probably o separate lines, and if i do, wouldn't it just remove the serice startup script? | 16:23 |
norayr | But wasn't the intention to run the init script? | 16:24 |
norayr | Oh, i mean to run on startup | 16:24 |
norayr | other question is, i noticed that the boot option was mentioned which allows droid to charge. | 16:34 |
norayr | isn't it in boot loader? and that bootloader is separate from leste image. | 16:34 |
norayr | so leste image update won't reveal that option for me right? | 16:34 |
Wizzup | freemangordon: hm, we should look into that problem @ apparmor | 16:35 |
Wizzup | freemangordon: I think we want to suppor tapparmor | 16:35 |
Wizzup | freemangordon: sorry I thought have thought of it being apparmor before | 16:35 |
Wizzup | it's always the MAC once DAC ought to work | 16:35 |
freemangordon | Wizzup: still, now I have 'fixed' my VM to behave like PP I will investigate why ssl upgrade broke it | 18:10 |
* enyc meows :O | 18:40 | |
enyc | I'm wondering if n900 usb get damaged with these bypassing of the micro-usb protection-circuit etc going stroight over to the 2 pins under board | 18:41 |
freemangordon | Wizzup: most-probably this https://www.mail-archive.com/openssl-commits@openssl.org/msg33055.html | 19:22 |
freemangordon | https://github.com/openssl/openssl/pull/15818 | 19:22 |
wunderwungiel[m] | Hello | 20:09 |
freemangordon | Wizzup: this is the one https://github.com/openssl/openssl/commit/b0031e5dc2c8c99a6c04bc7625aa00d3d20a59a5 | 20:14 |
freemangordon | but, TBH I am not sure the commit is wrong | 20:15 |
freemangordon | but my openssl-fu is not the best around :) | 20:16 |
freemangordon | ok, so telepathy-gabble (wocky) wants to do tls1.0, which is disabled by policy | 20:34 |
freemangordon | enabling tls1.0 is not very good idea IMO | 20:34 |
sicelo | enyc: maybe #maemo. I think it can get damaged, yes. That said ... i did exactly that bypass on my old n900 back in 2015 ... still perfectly fine today (only non-working modem, which is unrelated) | 20:38 |
Wizzup | got the n900 serial module back :) | 21:28 |
Wizzup | freemangordon: why does wocky only do 1.0 ? | 21:28 |
Wizzup | freemangordon: I think I fixed this in some other pkgs that I forward ported | 21:35 |
Wizzup | it's a bug to request only 1.0 | 21:35 |
freemangordon | agree | 21:35 |
freemangordon | so I changed it to request 1.2 | 21:35 |
freemangordon | (for 1.3 google presents some strange certificate) | 21:36 |
freemangordon | Wizzup: will push the fix in a minute | 21:36 |
Wizzup | what is strange about it, and yes at least 1.2 is ok, 1.3 would be better | 21:37 |
Wizzup | is it ecc? | 21:37 |
freemangordon | hmm? | 21:37 |
freemangordon | ecc? | 21:37 |
Wizzup | ed25519 or similar elyptic curve crypto | 21:38 |
freemangordon | ah | 21:38 |
freemangordon | no idea | 21:38 |
freemangordon | sec | 21:38 |
freemangordon | Wizzup: https://github.com/maemo-leste-upstream-forks/telepathy-gabble/blob/maemo/beowulf-devel/debian/patches/use-tls-v12.patch | 21:44 |
Wizzup | lgtm, let's look at tls 1.3 eventually though | 21:46 |
freemangordon | the issue with 1.3 is that google serves some unknown certificate | 21:47 |
freemangordon | see this https://marc.info/?l=openjdk-security-dev&m=155009277220921&w=2 | 21:47 |
freemangordon | "00 90 76 89 18 E9 33 93 A0" is the serial | 21:48 |
Wizzup | imho that warrants a google specific workaround | 21:48 |
freemangordon | exactly like in the thread | 21:48 |
freemangordon | well, what is wrong with tls1.2? | 21:48 |
Wizzup | the same as pinning to 1.0 | 21:48 |
Wizzup | better to just use default openssl ctx | 21:48 |
freemangordon | I agree in principle, but don;t really want to waste any more time on that now | 21:49 |
Wizzup | sure | 21:49 |
Wizzup | maybe we can make an issue | 21:50 |
freemangordon | better make an issue upstream | 21:50 |
Wizzup | righty | 21:50 |
freemangordon | going afk, night! | 21:51 |
Wizzup | gn | 21:51 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!