libera/#maemo-leste/ Saturday, 2022-04-23

« Friday, 2022-04-22 Index Sunday, 2022-04-24 »
Wizzupfreemangordon: what is the offending version?07:12
freemangordonWizzup: 1.1.1n-0+deb10u108:12
Wizzupfreemangordon: ok09:14
freemangordonbuilding openssl on PP ATM09:16
freemangordonwill debug that09:16
Wizzupok09:20
Wizzupmaybe we can just check the changelog?09:20
Wizzupis it certs or openssl patches?09:20
freemangordonit is openssl, not certs09:22
freemangordonI suspect this https://github.com/openssl/openssl/commit/8979ffee95043baffa51887b1d43d9b07f9fae1b09:22
freemangordonor this https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/statem/statem_srvr.c#L257209:23
freemangordonbut better debug it09:24
freemangordonalso, it is weird that we hit the bug on arm only09:24
Wizzupright09:35
freemangordonWizzup: here https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/statem/statem_clnt.c#L234009:53
freemangordontls1_get_legacy_sigalg (whatever it is) fails09:56
freemangordonWizzup: ssl_get_security_level_bits returns 112 on ARM64 and 80 on amd6413:17
freemangordonWizzup: on ARM SSL_get_security_level returns 2, on x86 - 113:21
freemangordonany clue why?13:21
norayrvery interesting13:51
freemangordonit seems the actual bug is in x86 lib, it seems to ignore /etc/ssl/openssl.cnf13:53
norayrsince we use debian's ssl, didn't anyone noticed already that this version causes problems?13:55
freemangordonwell, it was pushed 2 weeks ago13:56
freemangordonalso, I am still not sure the problem is in openssl itself13:56
Wizzupfreemangordon: hrm, we might need to file that with debian14:09
freemangordonok, I am officially confused: fopen("/usr/lib/ssl/openssl.cnf", "rb"); fails with errno==13 in my VM14:09
Wizzupeaccess14:10
freemangordonyes14:10
Wizzupwhat are the privs of hte full path14:10
freemangordonbut I can cat that file with no issue14:10
Wizzupe.g. /usr/lib/ssl14:10
freemangordonfine:14:10
Wizzupworld executable?14:10
freemangordonlrwxrwxrwx 1 root root 20 Mar 18 20:41 /usr/lib/ssl/openssl.cnf -> /etc/ssl/openssl.cnf14:10
Wizzupwhat about /etc/ssl/openssl.cnf ?14:10
freemangordon-rw-r--r-- 1 root root 11118 Oct 12  2019 /etc/ssl/openssl.cnf14:10
freemangordonexactly the same on pinephone14:11
freemangordonbesides the date14:11
freemangordon-rw-r--r-- 1 root root 11118 Aug 24  2021 /etc/ssl/openssl.cnf14:11
Wizzupwhat about /etc/ssl?14:11
freemangordonthis is pinephone14:11
Wizzupthe dir14:11
freemangordonmhm14:12
freemangordondrwxr-xr-x   4 root root  4096 Apr 15 12:29 .14:12
freemangordonin VM14:12
freemangordondrwxr-xr-x   4 root root  4096 Apr 22 12:00 .14:12
freemangordonin PP14:12
Wizzupyou can also do ls -lshd /etc/ssl fwiw14:12
Wizzupok14:13
WizzupI need to go and get my lost bag (with the n900 serial!)14:13
Wizzupbbl14:13
freemangordonok14:13
freemangordonPP: 4.0K drwxr-xr-x 4 root root 4.0K Apr 22 12:00 /etc/ssl14:13
freemangordonVM: 4.0K drwxr-xr-x 4 root root 4.0K Apr 15 12:29 /etc/ssl14:13
freemangordonthe same14:13
freemangordonmaybe FS issue14:14
Wizzupseems very weird14:14
freemangordonmhm14:14
freemangordonthis is crazy!!!14:19
freemangordonstrace: openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = -1 EACCES (Permission denied)14:56
freemangordonok, getting even more strange - if I run telepathy-gabble through valgrind on VM, I can recreate the issue15:21
freemangordonWTF is going on?15:21
freemangordonumm: [ 2258.304349] EXT4-fs error (device sda1): ext4_lookup:1619: inode #303423: comm find: iget: checksum invalid15:28
freemangordonugh:15:36
freemangordon audit: type=1400 audit(1650720903.508:17): apparmor="DENIED" operation="open" profile="/usr/lib/telepathy/telepathy-*" name="/etc/ssl/openssl.cnf" pid=3925 comm="telepathy-gabbl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=015:36
freemangordonok, for some reason I have apparmor installed and it prevents access to openssl.cnf15:44
sixwheeledbeastaa-logprof ?16:04
freemangordonapt-get remove --purge apparmor :)16:04
norayrfolks, i booted leste on droid, and got info about april update.16:07
norayrat the end of the text it recommends to remove old zram cotfiguration16:07
norayrwith rc-update del zram atd then on the same line, rm /etc/init.d/zram16:08
norayrSo i was wondering (btw now i write from leste's pidgin) should i run those probably o separate lines, and if i do, wouldn't it just remove the serice startup script?16:23
norayrBut wasn't the intention to run the init script?16:24
norayrOh, i mean to run on startup16:24
norayrother question is, i noticed that the boot option was mentioned which allows droid to charge.16:34
norayrisn't it in boot loader? and that bootloader is separate from leste image.16:34
norayrso leste image update won't reveal that option for me right?16:34
Wizzupfreemangordon: hm, we should look into that problem @ apparmor16:35
Wizzupfreemangordon: I think we want to suppor tapparmor16:35
Wizzupfreemangordon: sorry I thought have thought of it being apparmor before16:35
Wizzupit's always the MAC once DAC ought to work16:35
freemangordonWizzup: still, now I have 'fixed' my VM to behave like PP I will investigate why ssl upgrade broke it18:10
* enyc meows :O18:40
enycI'm wondering if n900 usb get damaged with these bypassing of the micro-usb protection-circuit etc  going stroight over to the 2 pins under board18:41
freemangordonWizzup: most-probably this https://www.mail-archive.com/openssl-commits@openssl.org/msg33055.html19:22
freemangordonhttps://github.com/openssl/openssl/pull/1581819:22
wunderwungiel[m]Hello20:09
freemangordonWizzup: this is the one https://github.com/openssl/openssl/commit/b0031e5dc2c8c99a6c04bc7625aa00d3d20a59a520:14
freemangordonbut, TBH I am not sure the commit is wrong20:15
freemangordonbut my openssl-fu is not the best around :)20:16
freemangordonok, so telepathy-gabble (wocky) wants to do tls1.0, which is disabled by policy20:34
freemangordonenabling tls1.0 is not very good idea IMO20:34
siceloenyc: maybe #maemo. I think it can get damaged, yes. That said ... i did exactly that bypass on my old n900 back in 2015 ... still perfectly fine today (only non-working modem, which is unrelated)20:38
Wizzupgot the n900 serial module back :)21:28
Wizzupfreemangordon: why does wocky only do 1.0 ?21:28
Wizzupfreemangordon: I think I fixed this in some other pkgs that I forward ported21:35
Wizzupit's a bug to request only 1.021:35
freemangordonagree21:35
freemangordonso I changed it to request 1.221:35
freemangordon(for 1.3 google presents some strange certificate)21:36
freemangordonWizzup: will push the fix in a minute21:36
Wizzupwhat is strange about it, and yes at least 1.2 is ok, 1.3 would be better21:37
Wizzupis it ecc?21:37
freemangordonhmm?21:37
freemangordonecc?21:37
Wizzuped25519 or similar elyptic curve crypto21:38
freemangordonah21:38
freemangordonno idea21:38
freemangordonsec21:38
freemangordonWizzup: https://github.com/maemo-leste-upstream-forks/telepathy-gabble/blob/maemo/beowulf-devel/debian/patches/use-tls-v12.patch21:44
Wizzuplgtm, let's look at tls 1.3 eventually though21:46
freemangordonthe issue with 1.3 is that google serves some unknown certificate21:47
freemangordonsee this https://marc.info/?l=openjdk-security-dev&m=155009277220921&w=221:47
freemangordon"00 90 76 89 18 E9 33 93 A0" is the serial21:48
Wizzupimho that warrants a google specific workaround21:48
freemangordonexactly like in the thread21:48
freemangordonwell, what is wrong with tls1.2?21:48
Wizzupthe same as pinning to 1.021:48
Wizzupbetter to just use default openssl ctx21:48
freemangordonI agree in principle, but don;t really want to waste any more time on that now21:49
Wizzupsure21:49
Wizzupmaybe we can make an issue21:50
freemangordonbetter make an issue upstream21:50
Wizzuprighty21:50
freemangordongoing afk, night!21:51
Wizzupgn21:51
« Friday, 2022-04-22 Index Sunday, 2022-04-24 »

Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!