~mamarley/openconnect/+git/gitlab-main:temp-force-ci

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

ddbaf3d... by Dan Lenski on 2020-05-22

add tests/obsolete-server-crypto to XFAIL on all CI using OpenSSL 1.1.0+

OpenSSL 1.1.0+ removes 3DES and RC4 from the default build: https://www.openssl.org/blog/blog/2016/08/24/sweet32/

There is no way to re-enable without rebuilding from source.

Signed-off-by: Daniel Lenski <email address hidden>

38f377c... by Dan Lenski on 2020-05-21

re-add socket_wrapper and softhsm support to CentOS8 CI

It appears that a separate Power Tools repository needs to be enabled for `{uid,socket}_wrapper` in CentOS8.
See https://centos.pkgs.org/8/centos-powertools-x86_64/uid_wrapper-1.2.4-4.el8.x86_64.rpm.html and https://serverfault.com/questions/997896/how-to-enable-powertools-repository-in-centos-8

For softhsm, this should work per nmav: https://gitlab.com/openconnect/openconnect/-/issues/145#note_347864560

Signed-off-by: Daniel Lenski <email address hidden>

b4ddf96... by Dan Lenski on 2020-05-18

add 'obsolete-server-crypto' and 'pfs' tests

These are designed to ensure that we don't inadvertently break compatibility
with legacy/obsolete server crypto, and also that we don't *inadvertently
connect* to less-secure crypto than requested.

May need to override system crypto policy in order for GnuTLS to allow old crypto in CI.
(per nmav: https://gitlab.com/openconnect/openconnect/-/issues/145#note_346497960)

- 'pfs': connect to a server whose only KX is RSA KX [if and only if]
  `--pfs` is [not specified]
- 'obsolete-server-crypt': connect to a server whose only ciphers are 3DES
  and/or RC4 [if and only if] `--allow-insecure-crypto` is specified

Signed-off-by: Daniel Lenski <email address hidden>

35c1bb5... by Dan Lenski on 2020-05-18

modify tests/common.sh so that launch_simple_sr_server() → test → cleanup() can be used repeatedly in a single script

Signed-off-by: Daniel Lenski <email address hidden>

b3b6f17... by Dan Lenski on 2020-05-23

with --allow-insecure-crypto, check if it can be enabled by the library and fail if not

Fixes the issue of silent failure both with and without this option.

Getting the ciphers in OpenSSL 1.1.0 is extremely tedious.

Signed-off-by: Daniel Lenski <email address hidden>

3f361b9... by Dan Lenski on 2020-05-18

Attempt to future-proof --allow-obsolete-crypto

`--allow-obsolete-crypto` should set `%VERIFY_ALLOW_SIGN_WITH_SHA1` as well
(per nmav: https://gitlab.com/openconnect/openconnect/-/merge_requests/114#note_346496796),
and should explicitly reenable SHA1
(moved to GnuTLS “bad hashes list” in 1d75e116b1681d0e6b140d7530e7f0403088da88)

Signed-off-by: Daniel Lenski <email address hidden>

add281c... by Dan Lenski on 2020-05-18

rework MR to add --allow-insecure-crypto, and corresponding API functions

Allowing the ancient, broken 3DES and RC4 ciphers is insecure; we do not
want to (re-)enable them by default. (See discussion:
https://gitlab.com/openconnect/openconnect/-/issues/145#note_344687335)

However, some still-in-use VPN servers can't do any better. So instead, we
explicitly disable them, unless explicitly enabled with the
`--allow-insecure-crypto` option, or corresponding API functions.

Signed-off-by: Daniel Lenski <email address hidden>

bbdda89... by Dan Lenski on 2020-05-18

add 3DES-CBC to default GnuTLS priority string

Closes #145. See discussion for some ideas for how to prevent this from recurring.

Signed-off-by: Daniel Lenski <email address hidden>

a018ad9... by Dan Lenski on 2020-05-22

Gitlab has CI images for Ubuntu 18.04, so let's include those too.

Signed-off-by: Daniel Lenski <email address hidden>

3a6f129... by Dan Lenski on 2020-10-14

fix CI

- CentOS8 now has GnuTLS with client random bug fixed (remove XFAIL_TESTS="dtls-psk")
- Fedora 32 needs crypto-policies-scripts package for update-crypto-policies to work
- dtls-psk is frequently failing; add 1-second wait AFTER tunnel interface appears

Signed-off-by: Daniel Lenski <email address hidden>