1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
boxbackup (0.13~~git20190527.g039c4a1-1) experimental; urgency=medium
* Taken from upstream commit 55aacf51d83c28d1046dcde84df6dc18cee808af:
Fix Debian bug 907135: weak certificates
Debian Linux have recently upgraded to OpenSSL 1.1.1, which has
increased the default global security level from 1 to 2. Level 2 does
not accept certificates with 1024-bit keys, and certificates signed
with the SHA1 algorithm, considering them to be weak and therefore
dangerous. It now requires a minimum of 2048-bit keys and SHA256
signatures. (At the time of writing, this change is only in Debian
Unstable, but it will eventually make its way into a stable release.)
This has caused the following issues with Box Backup:
* All existing certificates are signed with the SHA1 algorithm, and
can no longer be used (by default); and
* Some tests use 1024-bit certificates which can no longer be used
either.
This change implements the workarounds to enable users to continue to
use old certificates, for the time being, with a warning:
* Ensure that new installations are secure (stronger certificates
generated and required);
* Ensure that existing installations are not broken, even if they are
considered "weak";
* Warn users if their certificates are (or might be) weak;
* Allow them to disable this warning if required (not recommended);
* Provide the option to not override the system-wide security level
(which may be higher than 2 in future).
It does this by adding the new SSLSecurityLevel configuration option,
fixing the supplied scripts to generate stronger SSL certificates from
now on, replacing the old certificates used in tests, and adding tests
for the issue. If compiled with OpenSSL 1.0, existing behaviour will
not change, and the security level cannot be raised. The
SSLSecurityLevel option is recognised, but has no effect except to
show a warning that it is not supported.
More work could be done on making it easier to regenerate
certificates, however some discussion is needed to come up with a plan
that works and helps users.
See https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates for more details.
-- Reinhard Tartler <siretart@tauware.de> Mon, 27 May 2019 18:19:12 -0400
boxbackup (0.11~rc2+r2072-1) unstable; urgency=low
* The upstream parts of this file have been renamed to a new file called
NEWS.upstream to make the process of updating it easier.
-- Reinhard Tartler <siretart@tauware.de> Wed, 01 Apr 2009 10:24:51 +0200
boxbackup (0.10-1) unstable; urgency=low
* This Package has been initially prepared and mantained by Jérôme
Schell since 2004 in a private repository. I like the software, and
decided to take it over in order to have it in Debian. Please note
that I'm actively looking for co-maintainers, so do not hesitate to
get a copy of my bzr branch and share your commits with me.
The only major change has been to drop the boxbackup-utils package. It
contained only one single command to manage certificates. It has been
moved to the boxbackup-server package.
The complete debconf integration has been written by Jérôme. It works
for me quite well. If it doesn't for you, please file a bug and CC
Jérôme to that bugreport. Thanks.
-- Reinhard Tartler <siretart@tauware.de> Wed, 25 Apr 2007 18:06:04 +0200
|