diff options
authorReinhard Tartler <>2019-05-28 07:27:38 -0400
committerReinhard Tartler <>2019-05-30 21:23:09 -0400
commit9cf4c1ae4800c34cf074d8a8e28a28a144e4c945 (patch)
parentaff05088050ad19644557da408318b67acdb4c22 (diff)
debian/NEWS: add some notes on new upstream revisiondebian/0.13__git20190527.g039c4a1-1
1 files changed, 49 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
index 2c3e7c25..65ad0d25 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,52 @@
+boxbackup (0.13~~git20190527.g039c4a1-1) experimental; urgency=medium
+ * Taken from upstream commit 55aacf51d83c28d1046dcde84df6dc18cee808af:
+ Fix Debian bug 907135: weak certificates
+ Debian Linux have recently upgraded to OpenSSL 1.1.1, which has
+ increased the default global security level from 1 to 2. Level 2 does
+ not accept certificates with 1024-bit keys, and certificates signed
+ with the SHA1 algorithm, considering them to be weak and therefore
+ dangerous. It now requires a minimum of 2048-bit keys and SHA256
+ signatures. (At the time of writing, this change is only in Debian
+ Unstable, but it will eventually make its way into a stable release.)
+ This has caused the following issues with Box Backup:
+ * All existing certificates are signed with the SHA1 algorithm, and
+ can no longer be used (by default); and
+ * Some tests use 1024-bit certificates which can no longer be used
+ either.
+ This change implements the workarounds to enable users to continue to
+ use old certificates, for the time being, with a warning:
+ * Ensure that new installations are secure (stronger certificates
+ generated and required);
+ * Ensure that existing installations are not broken, even if they are
+ considered "weak";
+ * Warn users if their certificates are (or might be) weak;
+ * Allow them to disable this warning if required (not recommended);
+ * Provide the option to not override the system-wide security level
+ (which may be higher than 2 in future).
+ It does this by adding the new SSLSecurityLevel configuration option,
+ fixing the supplied scripts to generate stronger SSL certificates from
+ now on, replacing the old certificates used in tests, and adding tests
+ for the issue. If compiled with OpenSSL 1.0, existing behaviour will
+ not change, and the security level cannot be raised. The
+ SSLSecurityLevel option is recognised, but has no effect except to
+ show a warning that it is not supported.
+ More work could be done on making it easier to regenerate
+ certificates, however some discussion is needed to come up with a plan
+ that works and helps users.
+ See for more details.
+ -- Reinhard Tartler <> Mon, 27 May 2019 18:19:12 -0400
boxbackup (0.11~rc2+r2072-1) unstable; urgency=low
* The upstream parts of this file have been renamed to a new file called