Merge ~adrien/ubuntu/+source/gnutls28:ubuntu/devel into ubuntu/+source/gnutls28:ubuntu/devel
Proposed by
Adrien Nader
Status: | Merged |
---|---|
Merge reported by: | Adrien Nader |
Merged at revision: | 77bf47603dca0647f4af6ed33171ff748311b642 |
Proposed branch: | ~adrien/ubuntu/+source/gnutls28:ubuntu/devel |
Merge into: | ubuntu/+source/gnutls28:ubuntu/devel |
Diff against target: |
32 lines (+11/-0) 3 files modified
debian/changelog (+6/-0) debian/conf/config (+4/-0) debian/libgnutls30.install (+1/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Sergio Durigan Junior (community) | Approve | ||
git-ubuntu import | Pending | ||
Review via email: mp+454526@code.launchpad.net |
Description of the change
Contrary to what was believed, TLS 1.0 and 1.1 were still enabled in practice. AFAIU, for them to be disabled by default, application had to not change the default ciphersuite, which pretty much all applications do in practice (especially those that expose a corresponding setting, and therefore also have a default value). This commit disables these two through /etc/gnutls/config and its "overrides" section; this is a recent-ish feature (this probably explains why it wasn't used before).
To post a comment you must log in.
Thanks, Adrien.
I built and tested your MP. I was a bit concerned about the handling of existing an config file for gnutls, but I think it's fine to rely on dpkg to query the user if there's any conflict when merging the files.
I had to rebase the MP on top of the latest build performed today, and I've also updated the changelog version.
This proposed change has been done according to the upstream documentation: https:/ /www.gnutls. org/manual/ html_node/ Disabling- algorithms- and-protocols. html
While testing, I used the following command:
# gnutls-cli ubuntu.com --priority SECURE128: -VERS-ALL: +VERS-TLS1. 1
A few suggestions:
- I personally prefer to list all modified files in the changelog entry. This makes it easier to search for specific changes later.
- A PPA build with the proposed changes would have been appreciated and makes testing faster.
Uploaded:
$ dput gnutls28_ 3.8.1-4ubuntu3_ source. changes work/gnutls/ gnutls28_ 3.8.1-4ubuntu3_ source. changes: Valid signature from 106DA1C8C3CBBF14 work/gnutls/ gnutls28_ 3.8.1-4ubuntu3. dsc: Valid signature from 106DA1C8C3CBBF14 3.8.1-4ubuntu3. dsc: done. 3.8.1-4ubuntu3. debian. tar.xz: done. 3.8.1-4ubuntu3_ source. buildinfo: done. 3.8.1-4ubuntu3_ source. changes: done.
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/
Checking signature on .dsc
gpg: /home/sergio/
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading gnutls28_
Uploading gnutls28_
Uploading gnutls28_
Uploading gnutls28_
Successfully uploaded packages.