Bug#1100729: systemd-journal-remote does not support TLS due to GnuTLS being disabled

Jarl Gullberg jarl.gullberg at algiz.nu
Mon Mar 17 21:42:24 GMT 2025 

Package: systemd-journal-remote
Version: 257.4-3
Severity: normal
X-Debbugs-Cc: jarl.gullberg at algiz.nu

Back in 251.1-1, GnuTLS was replaced with OpenSSL as upstream had begun 
phasing out the use of GnuTLS.
This phase-out is more or less complete, and the only remaining use of 
GnuTLS is in systemd-journal-remote as of systemd 257 (possibly 
earlier). However, systemd-journal-remote still relies on GnuTLS for its 
HTTP/S support and likely will continue to do so for the forseeable 
future due to its dependence on libmicrohttpd.

As the rest of systemd has transitioned to exclusively using OpenSSL, we 
should be able to reenable GnuTLS for systemd so that 
systemd-journal-remote once again can operate in a secure manner with 
encryption and
certificate validation. There are no other components of systemd that 
would be affected by bringing GnuTLS back as a build dependency, 
limiting impact to systemd-journal-remote only.

As it currently stands, systemd-journal-remote is far less useful than 
it could be due to the lack of this core security feature. Untrusted and 
unencrypted log entries moving through a secure system violates many 
non-repudiation requirements and unfortunately makes 
systemd-journal-remote unfit for purpose when operating in HTTP-only mode.

I also noticed that rsyslog was briefly mentioned in the trixie release 
notes as no longer being automatically installed (though that seems to 
have been removed now). Should that still be the case at release, having 
a TLS-enabled systemd-journal-remote would be an appealing alternative.

P.S. please ignore my system information, reporting this via an Ubuntu 
machine and it's not relevant to the bug report.


-- System Information:
Debian Release: trixie/sid
   APT prefers noble-updates
   APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500, 
'noble'), (100, 'noble-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.8.0-55-generic (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages systemd-journal-remote depends on:
ii  libc6               2.39-0ubuntu8.4
ii  libcurl4t64         8.5.0-2ubuntu10.6
ii  libmicrohttpd12t64  1.0.0-2.1ubuntu2
ii  libsystemd-shared   255.4-1ubuntu8.5
ii  systemd             255.4-1ubuntu8.5

systemd-journal-remote recommends no packages.

systemd-journal-remote suggests no packages.

More information about the Pkg-systemd-maintainers mailing list