Bug#923448: stunnel4: autopkgtest fails with new version of openssl: failed to set DH parameters at debian/tests/runtime line 295.

Peter Pentchev roam at ringlet.net
Sat Mar 2 20:47:44 GMT 2019 

Control: clone -1 -2
Control: reassign -2 libanyevent-perl
Control: severity -2 normal
Control: retitle -2 AnyEvent::TLS: create 2048-bit DH keys by default
Control: tag -2 + confirmed pending
Control: tag -1 + pending

On Fri, Mar 01, 2019 at 10:27:42PM +0100, gregor herrmann wrote:
> On Fri, 01 Mar 2019 22:16:39 +0100, Sebastian Andrzej Siewior wrote:
> 
> > On 2019-03-01 21:30:04 [+0100], gregor herrmann wrote:
> > > On Fri, 01 Mar 2019 21:18:37 +0100, Sebastian Andrzej Siewior wrote:
> > > 
> > > > The patch attached fixes the issue in libanyevent-perl by setting the
> > > > default DH value to 2048.
> > > There's also a new AnyEvent release but I saw the "INCOMPATIBLE
> > > CHANGE" in the changelog, and I don't think it changes what is
> > > affected here?
> 
> Here a link was missing:
> https://metacpan.org/diff/file?target=MLEHMANN/AnyEvent-7.15/&source=MLEHMANN%2FAnyEvent-7.14
>  
> > stunnel's autopkgtest (and everyone else using that API without using a
> > DH2048+key since now the API rejects smaller values properly).
> 
> Ok.
>  
> > > > Moving forward:
> > > > - apply the patch to libanyevent-perl and be done with it
> > > > - tell the stunnel4 testsuite to use 2048bit DH instead the default
> > > >   value.
> > > 
> > > Is this an alternative or are both steps needed?
> > 
> > Either/or. The last b release of openssl fixes the return code of one
> > function. Since that change, setting < 2048bit DH key fails (before that
> > it was also failed but with a success return value so everyone assumed
> > that it worked).
> > 
> > So either libanyevent-perl changes the default DH key to 2048 (like in
> > the patch attached) _or_ someome comes up with perl foo and makes sure 
> > debian/tests/runtime in the block around line 276 - 295 specifies a dh
> > with 2048 bits. My perl foo was enough to narrow it down to that area :)
> > 
> > I *think* that 2048bit DH keys should be default these days and this
> > would avoid errors like that in the future.
> 
> Thanks for the clarification.
> As roam offered to look into the issue earlier today in the bug log,
> I suggest to let him handle the question and fix it either in
> stunnel4 or libanyevent-perl (handy to involved in both areas :))

Thanks a lot to both of you for the analysis and the discussion!

I've fixed the problem in my Git repository for stunnel4; I shall upload
it in a little while after some more testing.  I'll try to also change
the libanyevent-perl default today.

Thanks again, and keep up the great work!

G'luck,
Peter

-- 
Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20190302/441ebd89/attachment.sig>

More information about the pkg-perl-maintainers mailing list