Comments
ueno
Infrastructure issue, maybe? I don't think this update has anything to do with that failure.
I'm afraid this liboqs package can only be used with openssl applications for now, as it has an implicit dependency on libcrypto functions:
nm -g /usr/lib/debug/usr/lib64/liboqs.so.0.12.0-0.12.0-1.fc40.x86_64.debug | grep '^[[:space:]]*U '
U __assert_fail@GLIBC_2.2.5
U CRYPTO_free
I guess we could use the native memory allocation functions by removing defined(OQS_DLOPEN_OPENSSL) condition from the #if's in src/common/common.[ch].
I wouldn't say https://gitlab.com/gnutls/gnutls/-/issues/1515 alone should be treated as a blocker, now that rawhide and F39 are updated to 3.8.2. We can include a fix in another iteration.
This update has been unpushed.
This update fixes the CI issue in GnuTLS: https://gitlab.com/gnutls/gnutls/-/merge_requests/1594
@ckujau, if you are in doubt, try (temporarily) blacklisting the cross-signed "COMODO RSA Certification Authority" on the system and see if the connection fails as expected:
$ trust list # check the URL of the cross-signed certificate
$ trust dump --filter 'pkcs11:id=%BB%AF%7E%02%3D%FA%A6%F1%3C%84%8E%AD%EE%38%98%EC%D9%32%32%D4;type=cert' > comodo-rsa.p11-kit
$ sudo cp comodo-rsa.p11-kit /etc/pki/ca-trust/source/blacklist/
$ gnutls-cli host:443
[...]
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
@ckujau, no, the message is just misleading. The certificate is internally dropped from the input chain, and the cross signed (non-expired) certificate is used from the system trust store. See the background of the fix: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352448705
I'll try to update the command output later.
Re-added ca-certificates with a versioned dependency on p11-kit.
@cmadams right, re-added ca-certificates with a versioned dependency on p11-kit. thanks!
Dropping ca-certificates. See https://bodhi.fedoraproject.org/updates/FEDORA-2020-f7bb54009e#comment-1209227 for the rationale.
@cmadams, yes, that's why this update contains both ca-certificates and p11-kit. @pizzadude, that's interesting; maybe the flatpak runtime needs an updated p11-kit.
Anyway I will drop ca-cerfificate from this update for now.
This seems to fix the false-positives we hit on the p11-kit CI: https://travis-ci.org/p11-glue/p11-kit/jobs/633789977#L1534
This update has been unpushed.
Given that the AVC denials are through rtkit, updating only nspr/nss packages shouldn't cause any new denials. So I am dropping firefox for now.
@cmorris afaik crypto-policies needs some update too, but the key format change doesn't affect the connecting scenarios (unless you are using client authentication), because it is only about private keys.