Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gnutls: fix an upstream regression in RSA certificates #311735

Merged
merged 1 commit into from
May 15, 2024
Merged

gnutls: fix an upstream regression in RSA certificates #311735

merged 1 commit into from
May 15, 2024

Conversation

gador
Copy link
Member

@gador gador commented May 14, 2024

Description of changes

The update to 3.8.5 involved adding a feature to conditionally disable RSAES-PKCS1-v1.5 1. It was intended to be turned on by default 2, but failed 3.
Therefore it is disabled, which in turn throws a new error: "Fatal error: The encryption algorithm is not supported". (error 113).

This can have severe implications, as for example Lets Encrypt signed RSA certificates aren't trusted anymore.

This commit fetches the upstream patch, which hasn't been included in 3.8.5

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@gador
Copy link
Member Author

gador commented May 14, 2024

Due to the heavy impact:
Reference to #309482 and #303285

@gador gador added 0.kind: ZHF Fixes Fixes during the ZHF campaign 0.kind: regression Something that worked before working no longer labels May 14, 2024
@ofborg ofborg bot requested a review from vcunat May 14, 2024 20:36
Pandapip1
Pandapip1 suggested changes May 14, 2024
View reviewed changes
Copy link
Contributor

@Pandapip1 Pandapip1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The base branch should be staging.

@Pandapip1
Copy link
Contributor

Otherwise, LGTM.

@gador gador changed the base branch from master to staging May 14, 2024 21:37
@github-actions github-actions bot added 6.topic: python 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: maintainer-list (update) This PR changes `maintainers/maintainer-list.nix` labels May 14, 2024
@gador gador force-pushed the gnutls-fix-rsa branch 2 times, most recently from abd5a1d to 17364f4 Compare May 14, 2024 21:39
@github-actions github-actions bot removed 6.topic: python 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: maintainer-list (update) This PR changes `maintainers/maintainer-list.nix` labels May 14, 2024
@gador @vcunat
gnutls: fix an upstream regression in RSA certificates
cb46783 
The update to 3.8.5 involved adding a feature to conditionally
disable RSAES-PKCS1-v1.5 [1]. It was intended to be turned on
by default [2], but failed [3].
Therefore it is disabled, which in turn throws a new error:
"Fatal error: The encryption algorithm is not supported". (error 113).

This can have severe implications, as for example Lets Encrypt
signed RSA certificates aren't trusted anymore.

This commit fetches the upstream patch, which hasn't been included
in 3.8.5

[1]: https://gitlab.com/gnutls/gnutls/-/merge_requests/1828
[2]: https://gitlab.com/gnutls/gnutls/-/merge_requests/1828/diffs#cd5a2ba3b145c1bd292e027ef84c618b6b7fb895_267_274
[3]: https://gitlab.com/gnutls/gnutls/-/issues/1540

Signed-off-by: Florian Brandes <[email protected]>
@vcunat vcunat self-assigned this May 15, 2024
@vcunat
Copy link
Member

vcunat commented May 15, 2024

It's a trap that the latest release is still kept on a version with this kind of breakage. But maybe that's why 3.8.5 isn't mentioned on some of the usual places? https://gnutls.org/news.html

@vcunat vcunat changed the base branch from staging to staging-next May 15, 2024 05:47
@vcunat vcunat merged commit cb46783 into NixOS:staging-next May 15, 2024
8 of 9 checks passed
@vcunat vcunat mentioned this pull request May 15, 2024
Merged
13 tasks
@vcunat
Copy link
Member

vcunat commented May 15, 2024

Thanks a lot. I expedited this fix, as it seems like a relatively big problem and at this moment it most likely won't waste much of rebuild work.

@ofborg ofborg bot added the 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild label May 15, 2024
@trofi trofi mentioned this pull request May 21, 2024
Closed
@obadz obadz mentioned this pull request May 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pandapip1 Pandapip1 Pandapip1 requested changes

@vcunat vcunat Awaiting requested review from vcunat

Assignees

@vcunat vcunat

Labels
0.kind: regression Something that worked before working no longer 0.kind: ZHF Fixes Fixes during the ZHF campaign 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild 10.rebuild-linux: 0 This PR does not cause any packages to rebuild
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gador @Pandapip1 @vcunat