Ubuntu
gnutls28 package

Merge ~adrien/ubuntu/+source/gnutls28:ubuntu/devel into ubuntu/+source/gnutls28:ubuntu/devel

  1. Git
  2. lp:~adrien/ubuntu/+source/gnutls28
  3. ubuntu/devel
  4. Merge into ubuntu/devel
Proposed by Adrien Nader
Status: Merged
Merge reported by: Adrien Nader
Merged at revision: 77bf47603dca0647f4af6ed33171ff748311b642
Proposed branch: ~adrien/ubuntu/+source/gnutls28:ubuntu/devel
Merge into: ubuntu/+source/gnutls28:ubuntu/devel
Diff against target: 32 lines (+11/-0)
3 files modified
debian/changelog (+6/-0)
debian/conf/config (+4/-0)
debian/libgnutls30.install (+1/-0)
Reviewer Review Type Date Requested Status
Sergio Durigan Junior (community) Approve
git-ubuntu import Pending
Review via email: mp+454526@code.launchpad.net

Description of the change

Contrary to what was believed, TLS 1.0 and 1.1 were still enabled in practice. AFAIU, for them to be disabled by default, application had to not change the default ciphersuite, which pretty much all applications do in practice (especially those that expose a corresponding setting, and therefore also have a default value). This commit disables these two through /etc/gnutls/config and its "overrides" section; this is a recent-ish feature (this probably explains why it wasn't used before).

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks, Adrien.

I built and tested your MP. I was a bit concerned about the handling of existing an config file for gnutls, but I think it's fine to rely on dpkg to query the user if there's any conflict when merging the files.

I had to rebase the MP on top of the latest build performed today, and I've also updated the changelog version.

This proposed change has been done according to the upstream documentation: https://www.gnutls.org/manual/html_node/Disabling-algorithms-and-protocols.html

While testing, I used the following command:

# gnutls-cli ubuntu.com --priority SECURE128:-VERS-ALL:+VERS-TLS1.1

A few suggestions:

- I personally prefer to list all modified files in the changelog entry. This makes it easier to search for specific changes later.

- A PPA build with the proposed changes would have been appreciated and makes testing faster.

Uploaded:

$ dput gnutls28_3.8.1-4ubuntu3_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/gnutls/gnutls28_3.8.1-4ubuntu3_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/gnutls/gnutls28_3.8.1-4ubuntu3.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading gnutls28_3.8.1-4ubuntu3.dsc: done.
  Uploading gnutls28_3.8.1-4ubuntu3.debian.tar.xz: done.
  Uploading gnutls28_3.8.1-4ubuntu3_source.buildinfo: done.
  Uploading gnutls28_3.8.1-4ubuntu3_source.changes: done.
Successfully uploaded packages.

review: Approve
Revision history for this message
Adrien Nader (adrien) wrote :

Thanks Sergio. Noted for the list of modified files. And for the PPA, I had prepared it but forgot to link it here. :/

It contains more than just this gnutls change (openssl and sslcan) but the builds are independant: https://launchpad.net/~adrien-n/+archive/ubuntu/attempting-to-break-everything/+packages (yes, the name is only meant to be humour :) ) ; I had made a small mistake for the version number some time ago and that propagated through the builds for mantic but not for noble.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index ba01722..7b45f2c 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,9 @@
6+gnutls28 (3.8.1-4ubuntu2) noble; urgency=medium
7+
8+ * Forcefully disable TLS 1.0 and 1.1 through /etc/gnutls/config.
9+
10+ -- Adrien Nader <adrien.nader@canonical.com> Mon, 23 Oct 2023 10:48:46 +0200
11+
12 gnutls28 (3.8.1-4ubuntu1) mantic; urgency=medium
13
14 * Merge from Debian unstable. Remaining changes:
15diff --git a/debian/conf/config b/debian/conf/config
16new file mode 100644
17index 0000000..447fe0c
18--- /dev/null
19+++ b/debian/conf/config
20@@ -0,0 +1,4 @@
21+[overrides]
22+disabled-version = tls1.0
23+disabled-version = tls1.1
24+
25diff --git a/debian/libgnutls30.install b/debian/libgnutls30.install
26index 8856fe2..2362556 100644
27--- a/debian/libgnutls30.install
28+++ b/debian/libgnutls30.install
29@@ -1,2 +1,3 @@
30 debian/tmp/usr/lib/*/libgnutls.so.*
31 debian/tmp/usr/share/locale/*
32+debian/conf/config etc/gnutls

Subscribers

People subscribed via source and target branches