Description of problem: after update to crypto-policies-20200813-1.mga7.noarch.rpm ssl connections went wrong. Nagios could not connect to the nrpe clients ssl error come back. java ssl connections also no longer work. Version-Release number of selected component (if applicable): crypto-policies-20200813-1 How reproducible: every time Steps to Reproduce: 1. upgrade to crypto-policies-20200813-1 2. connect to nrpe client 3. see the ssl error you got If anyone have this trouble on production servers, immediately go back to old policies. wget http://ftp5.gwdg.de/pub/linux/mageia/distrib/7/x86_64/media/core/release/crypto-policies-20170606-2.mga7.noarch.rpm urpmi --downgrade crypto-policies-20170606-2.mga7.noarch.rpm everything is fine again after installation edit /etc/urpmi/skip.list and make an entry so that it should not be installed again e.g. /^crypto-policies/
CC: (none) => gm2.asp
Hi, thanks reporting this. So, you are reporting a SSL bug. Does this use deprecated SSL1 connections which are no longer supported? When updates were applied, did you perform a system reboot? Is this related to crypto-policies updates or Nagios or Java rootcerts? Really difficult to address this. Leaving this in Bugsquad until further informations. Cc'd David Walser Sec Team leader if he can help us on this.
CC: (none) => luigiwalser
[Collided with Aurelien above...] Thank you for reporting this, and all the detailed steps to overcome it. Unsure of the need for the 'wget' and specific 'urpmi' given; I think just this should do the trick: # urpmi --downgrade crypto-policies which should automatically revert to the previous version 20170606. Witheld: "Assigning to the registered package maintainer guillomovitch, CC'ing DavidW re the 20200813 update", the last already done.
CC: (none) => lewyssmith
CC: (none) => ouaurelien
(In reply to Aurelien Oudelet from comment #1) > Hi, thanks reporting this. > > So, you are reporting a SSL bug. Does this use deprecated SSL1 connections > which are no longer supported? > > When updates were applied, did you perform a system reboot? realy ? yes i reboot > Is this related to crypto-policies updates or Nagios or Java rootcerts? > Really difficult to address this. nagios with nrpe from mageia 7 repository an up to date. look at this bug with the same cause: https://bugs.mageia.org/show_bug.cgi?id=27305#c8 these questions asked of a beginner are not for server administrators Mageia just keeps getting worse over the years and that's very sad. i'm thinking about a change
Assignee: bugsquad => guillomovitch
This isn't about Mageia getting worse. This packaging is due to an upstream change by Mozilla in nss that forced us to sync with Fedora's packaging.
(In reply to Dieter Schütze from comment #3) > Mageia just keeps getting worse over the years and that's very sad. > i'm thinking about a change That would not help anybody. We need more packagers; why not join us to help? Curious that we have so few - if any - Germans on board. https://wiki.mageia.org/en/Ein_Mageia_Paketbauer_werden-de
It is. I wrote how to reproduce this and get stupid questions. Why you are not willing to test this with the nagios and nrpe packages from your stable mageia 7 repository. And you know exactly that there is a problem with the crypto-policies, see the other Bug. And there is no difference if you set the policy to LEGACY with the new policies. Described here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening You got the same errors from the nrpe Mageia 7 clients. Or i get bad answers by my rspamd bug report for on very old package in the mageia 7 repository. A version that you better not use anymore. I wait a long time and then i package the current version by my self. But at the end, it's a wrong place to discuss this. But don't be surprised if there are fewer people reporting a bug b.t.w. Don't use Fedora packages untested there are a lot of trouble in the last time.
I don't see any stupid questions being asked in this bug. It's not necessarily bugsquad's job to try to reproduce any and all bugs, especially with software they're not familiar with (that would be more on the maintainer ideally). As for crypto-policies, we don't know for sure that there's a "problem" with it so much as that we are just now starting to use it and we have to learn how to adapt to it. As for rspamd, it may be that it doesn't have an active maintainer. As Lewis just said, we don't have enough packagers and maintainers, so the level of support you get (for free, BTW) varies depending on the package. If you're able to package needed fixes yourself, at least attach the patches to a bug report and hopefully someone will see and commit them. Generally speaking if people's response to there not being enough contributors is to leave rather than contribute, then that's their choice but it will not help. And we didn't "use Fedora packages untested," we were forced, as I said, to sync with their packaging for nss/rootcerts stuff because of Mozilla, and we did test it in Cauldron and Mageia 7 as best we could (plus it has been used for years in this state in other distros). If there really *is* a problem with crypto-policies, it would be better to report it to Fedora (RedHat's bugzilla), as they are the upstream developers of it.
I hope you know what the result ist, if you report a bug from Mageia Distri to RedHat. Why i should do this if i use Mageia ? You don't have this tested with your other packages and the result is a desaster. I think you have no idea which packages are all affected This is not a Problem of Fedora or RedHat. Then i can use Fedora and Mageia is not needed anymore. And the Solution of comment 2 from Lewis is wrong. If i do this then: ---------------------------------------------------------------------- urpmi --downgrade crypto-policies Das folgende Paket muss entfernt werden, um die Aktualisierungen durchführen zu können: crypto-policies-20200813-1.mga7.noarch (um crypto-policies-20200813-1.mga7.noarch zu installieren) (j/N) j http://mirrors.mageia.org/api/mageia.7.x86_64.list: media/core/updates/crypto-policies-20200813-1.mga7.noarch.rpm crypto-policies-20200813-1.mga7.noarch.rpm von /var/cache/urpmi/rpms wird installiert Vorbereiten … ############################################################################### 1/1: crypto-policies ############################################################################### 1/1: crypto-policies-20200813-1.mga7.noarch wird entfernt ############################################################################### ------------------------------------------------------------------------ The Package crypto-policies-20200813-1.mga7.noarch.rpm is replaced with crypto-policies-20200813-1.mga7.noarch.rpm wonderful.
For the last point - I stand corrected! As you say, the current version is replaced with itself (I just tried it). This is not normal; doubtless there is a good reason, so your comment 0 has extra value. Thank you. Otherwise: (In reply to Dieter Schütze from comment #6) > Why you are not willing to test this with the nagios and nrpe packages from > your stable mageia 7 repository. Because at the individual level we do not have the resources or the time or often the know-how to do that. Not many of us are involved in secure networking, and almost nobody will have the infrastructure & specialised software that users such as yourself deploy. We do try things that are simple to test. No update is released without some testing, but this has to be limited to what individuals can do. Where an update results from a user reported bug, they can & do check it out. Updates for security issues have to be tested 'cold', and are sometimes beyond the means of our volunteers (above) to test comprehensively. Some bug reports are very helpful, the reporter having discovered for himself the cause and the remedy (or like yourself, a work-around) for a problem. This is helpful to other users who hit the same problem. Thank you again. > But don't be surprised if there are fewer people reporting a bug Many people do, for the slightest thing. We like to please our users, and some are grateful for the support they receive.
Dieter, you are as much a member of this community as any one else. Why you are expecting other people to do everything for you, I do not know. You cannot expect the QA team to test with every possible combination of packages out of 10000+ packages in the distribution. As you are a member of this community, you have just as much a responsibility to help QA test things that uniquely affect you as anyone else. I am telling you that we do not develop the crypto-policies software, and the people that have the insight into how it works are not here. The person affected by this issue is you. It is the truth that the best way for you to see that this issue gets resolved is for you to work with the developers directly. If you choose to ignore that, then the consequences are yours to deal with. We are doing the best we can to provide a good experience for our users, but we are ourselves Mageia users, just like you, and there are not enough of us that are contributing. Too many people are expecting too much of too few. You can be a part of the problem or part of the solution.
If you dont have the resource then this are unknown packages. It works or not nobody knows. But this is dangerous because these are server packages and have to work. So the consequence is, put these packages out from mageia. I got nagios up and running with the new crypto-policies packages but i don't think that these is the right way. I make it a little bit more unsecure. 1. install new crypto-policies. 2. set it to LEGACY update-crypto-policies --set LEGACY 3. reboot to use the new symlinks in /etc/crypto-policies/back-ends/ 4. edit /etc/crypto-policies/back-ends/openssl.config and replace the entries with the old one to: kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!EXP:!DES:!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!MD5:!SSLv2 especially put away the @SECLEVEL=1 entry at the begin of the line. 5. edit /etc/crypto-policies/back-ends/gnutls.config replace the entries after [priorities] to: SYSTEM=NONE:+AEAD:+SHA1:+SHA256:+SHA384:+SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:+PSK:+DHE-PSK:+ECDHE-PSK:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL:%PROFILE_LOW 6. edit /etc/crypto-policies/back-ends/java.config replace the last line to the old one jdk.tls.legacyAlgorithms=3DES_EDE_CBC, RC4_128 : jdk.tls.legacyAlgorithms= 6. reboot ones more and have look if everything is ok but ATTENTION i don't know if anything others go wrong with that. It is noticeable that there have been some changes that were not previously available. Specially in the back-ends folder an now there is also a policies/module folder for the own changes. If anyone has the time, compare the new with the old and have a look about things there go wrong. And yes it has todo with the protocol of connection, but i don't know how many mageia packages are need the old way to connect. And if you have customers that need the old way (like me) you have to make the old (unsecure) way If all the packages with the old connections are updated and the customer are more secure than you can switch back to DEFAULT. We changed only the LEGACY unsecure entries.
OK, David Walser comment is a cheek. I mostly helped myself here, as not much came from others to my problems. You can check it out for yourself here at the Bugzilla As a result, I will not report any more errors! So god bye and have fun with your way of scaring people away
Well, I'm glad you were able to get it to work. It certainly depends on what you're connecting to as to what protocols/ciphers/etc you need to have enabled. It sounds like your server just needs to be updated. As for your last comment, don't expect to come to us with a sense of entitlement and have people be very willing to go out of their way to help you. We've done as much as we can.
CC: luigiwalser => (none)
(In reply to Lewis Smith from comment #9) > For the last point - I stand corrected! As you say, the current version is > replaced with itself (I just tried it). This is not normal; doubtless there > is a good reason, so your comment 0 has extra value. Thank you. > urpmi --downgrade package will revert to the newest version, in the active sources This is useful if you have temporarily enabled a testing or backport source in order to install a new version of a package and now want to revert to the official package. It is expected to be the most common use case. urpmi --downgrade package-version will revert to the specified version, if it is in an active source. There could be several older versions available in the active sources.
CC: (none) => jim
(In reply to David Walser from comment #13) > enabled. It sounds like your server just needs to be updated. This is really nice and i hope everyone can read it. 1. this confirms that David is not reading my bug reports 2. the servers are Mageia 7.1 with all updates. 3. and yes you are right Mageia 7.1 has a lot of old packages that need to be updated but nothing happens. 4. you bring updates to packages that came in conflict with your own packages. Old versions were simply dragged along in order not to stand there naked. Anytime you mention something like that, someone like David is supposed to silence you with untrue terms. Is this the art that Mageia exists ? I made the required packages with current versions myself. I just wonder if that's the point of Mageia. I know mageia since the root Mandrake, Mandriva. Something wend wrong about Mageia since 4 Years and nobody seems to mind. Think why there are too few people in the Mageia community who test and pack packages. Especially packages with applications for servers. That was not always so.
CC: gm2.asp => (none)
CC: lewyssmith => (none)
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening update-crypto-policies --set LEGACY
CC: (none) => j.biernacki
(In reply to Jybz from comment #16) > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ > html/security_hardening/using-the-system-wide-cryptographic- > policies_security-hardening > > update-crypto-policies --set LEGACY Yeah, this is possible but leaves system to insecure state. This can't be setup for a long time. We also should document this new behavior regarding these policies. By default, M8 will have policies set to default and not to legacy.
Whiteboard: (none) => needed to be documented in M8
Security updates should not affect running configurations, or require sysadmins to change settings to keep their system running. That's the whole point of minimising changes, and pushing only bugfixes, not behaviour modifications. This policy change should be reverted IHMO. BTW, as they have been multiple bugs and threads on the devel mailing-list, we should maybe elect a single discussion point for this issue.
Mageia 7 is EOL since July 1st 2021. There will not have any further bugfix for this release. You are encouraged to upgrade to Mageia 8 as soon as possible. @reporter, if this bug still apply with Mageia 8, please let us know it. @packager, if you work on the Mageia 7 version of your package, please check the Mageia 8 package if issue is also present. In this case, please fix the Mageia 8 version instead. This bug report will be closed OLD if there is no further notice within 1st September 2021.
Hi bug reporter and hi assignee and others involved, Please reopen this bug report if it is still valid for Mageia 8 or 9(cauldron), and change "Version:" in the upper left of this report accordingly. This report is being closed as OLD because it was filed against Mageia 7, for which support ended on June 30th 2021. Thanks, Marja
Status: NEW => RESOLVEDResolution: (none) => OLD
(In reply to Aurelien Oudelet from comment #17) > We also should document this new behavior regarding these policies. > By default, M8 will have policies set to default and not to legacy. FWIW, nothing about this seems to have found their way in either Errata or Release Notes for 7 / 8 nor in the wiki at all. I've added https://wiki.mageia.org/en/Mageia_8_Errata#Change_in_defaults_of_system-wide_crypto-policies so that we at least have *something* in errata.
CC: (none) => doktor5000