summaryrefslogtreecommitdiff
path: root/debian/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'debian/NEWS')
-rw-r--r--debian/NEWS49
1 files changed, 49 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
index 2c3e7c25..65ad0d25 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,52 @@
+boxbackup (0.13~~git20190527.g039c4a1-1) experimental; urgency=medium
+
+ * Taken from upstream commit 55aacf51d83c28d1046dcde84df6dc18cee808af:
+
+ Fix Debian bug 907135: weak certificates
+
+ Debian Linux have recently upgraded to OpenSSL 1.1.1, which has
+ increased the default global security level from 1 to 2. Level 2 does
+ not accept certificates with 1024-bit keys, and certificates signed
+ with the SHA1 algorithm, considering them to be weak and therefore
+ dangerous. It now requires a minimum of 2048-bit keys and SHA256
+ signatures. (At the time of writing, this change is only in Debian
+ Unstable, but it will eventually make its way into a stable release.)
+
+ This has caused the following issues with Box Backup:
+
+ * All existing certificates are signed with the SHA1 algorithm, and
+ can no longer be used (by default); and
+ * Some tests use 1024-bit certificates which can no longer be used
+ either.
+
+ This change implements the workarounds to enable users to continue to
+ use old certificates, for the time being, with a warning:
+
+ * Ensure that new installations are secure (stronger certificates
+ generated and required);
+ * Ensure that existing installations are not broken, even if they are
+ considered "weak";
+ * Warn users if their certificates are (or might be) weak;
+ * Allow them to disable this warning if required (not recommended);
+ * Provide the option to not override the system-wide security level
+ (which may be higher than 2 in future).
+
+ It does this by adding the new SSLSecurityLevel configuration option,
+ fixing the supplied scripts to generate stronger SSL certificates from
+ now on, replacing the old certificates used in tests, and adding tests
+ for the issue. If compiled with OpenSSL 1.0, existing behaviour will
+ not change, and the security level cannot be raised. The
+ SSLSecurityLevel option is recognised, but has no effect except to
+ show a warning that it is not supported.
+
+ More work could be done on making it easier to regenerate
+ certificates, however some discussion is needed to come up with a plan
+ that works and helps users.
+
+ See https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates for more details.
+
+ -- Reinhard Tartler <siretart@tauware.de> Mon, 27 May 2019 18:19:12 -0400
+
boxbackup (0.11~rc2+r2072-1) unstable; urgency=low
* The upstream parts of this file have been renamed to a new file called