Bug#733295: gnutls-bin: please compile GnuTLS with DANE support

Cyril Brulebois kibi at debian.org
Wed Apr 8 19:13:38 UTC 2015 

Hello people,

Daniel Kahn Gillmor <dkg at fifthhorseman.net> (2015-03-24):
> On Tue 2015-03-24 16:01:20 -0500, Cyril Brulebois wrote:
> > (Background: This issue has just been pointed out to me after a GNUnet
> > conference. At least one developer there is interested in seeing a fix
> > reach the archive.)
> >
> >  1. Not having looked too much at unbound yet, it seems to indeed
> >     support NSS instead of OpenSSL, so one might think about switching
> >     to it to get rid of (possible) OpenSSL license incompatibilities.
> >
> >  2. A softer way might be to build an NSS variant of the unbound library
> >     alongside with the OpenSSL (current/default) one, so that packages
> >     like GnuTLS can pull it instead, and deliver DANE support.
> >
> >  3. Yet another way might be to teach unbound to support GnuTLS in
> >     addition to OpenSSL and NSS, so that one can build a GnuTLS variant
> >     instead of an NSS one.
> >
> > Solution 1 seems harsh and could possibly break rdepends; solution 2
> > seems safer and only a (small?) matter of packaging; solution 3 might
> > involve some bits of coding, and might cause tests entanglements in
> > configure.ac.
> >
> > Thoughts? Should I look into patching unbound to support solution 2?
> 
> I think option 2 is the simplest, shortest-path option for now, though
> the idea that installing libgnutls28 brings in libnss3 as a dependency
> seems rather ugly to me.

so I've spent a few moments trying to get stuff to build and see how it
goes. I'm particularly unimpressed with the resulting patches, but they
might at least be useful to someone who would like to try a bit harder
to get stuff into shape, and/or who would like to toy around locally.

The unbound patch introduces an NSS variant of libunbound, which I didn't
try to make co-installable along with the regular one.

The gnutls28 patch enables libdane, which in turn depends on the NSS
variant of libunbound. I'm not sure how much it would take to make this
package optional (so that gnutls28 doesn't pull it and NSS along by
default, yet letting users install it if they so wish).

The end result is error messages while trying to validate the domain
mentioned at the beginning of this bug report (www.nic.cz)… at the
moment, besides installing the resulting binary packages, I had to copy
/usr/share/dns/root.key under /etc/unbound/
| $ danetool --check=www.nic.cz
| Querying DNS for www.nic.cz (tcp:443)...
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519379] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519379] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519379] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| [1428519379] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65
| dane_query_tlsa: The DNSSEC signature is invalid.
| Resolving 'www.nic.cz'...
| Obtaining certificate from '2001:1488:0:3::2:443'...

Since I really don't know anything on that topic, and since I'm running
out of free time I won't be looking more into it, or investigating
long(er)term plans which were mentioned by Robert.

Mraw,
KiBi.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound+nss.diff
Type: text/x-diff
Size: 10025 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20150408/c15e9476/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls28+dane.diff
Type: text/x-diff
Size: 2898 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20150408/c15e9476/attachment-0001.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20150408/c15e9476/attachment.sig>

More information about the Pkg-gnutls-maint mailing list