1. 19 May, 2019 1 commit
    • Chris Wilson's avatar
      Merge pull request #36 from boxbackup/fix_debian_907135_ssl_key_size_merge · 039c4a12
      Chris Wilson authored
      Debian Linux have recently upgraded to OpenSSL 1.1.1, which has increased the default global security level from 1 to 2. Level 2 does not accept certificates with 1024-bit keys, and certificates signed with the SHA1 algorithm, considering them to be weak and therefore dangerous. It now requires a minimum of 2048-bit keys and SHA256 signatures. (At the time of writing, this change is only in Debian Unstable, but it will eventually make its way into a stable release.)
      
      This has caused the following issues with Box Backup:
      
      * All existing certificates are signed with the SHA1 algorithm, and can no longer be used (by default); and
      * Some tests use 1024-bit certificates which can no longer be used either.
      
      This change implements the workarounds to enable users to continue to use old certificates,
      for the time being, with a warning:
      
      * Ensure that new installations are secure (stronger certificates generated and required);
      * Ensure that existing installations are not broken, even if they are considered "weak";
      * Warn users if their certificates are (or might be) weak;
      * Allow them to disable this warning if required (not recommended);
      * Provide the option to not override the system-wide security level (which may be higher than 2 in future).
      
      It does this by adding the new SSLSecurityLevel configuration option, fixing the supplied scripts to generate stronger SSL certificates from now on, replacing the old certificates used in tests, and adding tests for the issue. If compiled with OpenSSL 1.0, existing behaviour will not change, and the security level cannot be raised. The SSLSecurityLevel option is recognised, but has no effect except to show a warning that it is not supported.
      
      More work could be done on making it easier to regenerate certificates, however some discussion is needed to come up with a plan that works and helps users.
      
      See https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates for more details.
      039c4a12
  2. 18 May, 2019 1 commit
    • Chris Wilson's avatar
      Fix Debian bug 907135: weak certificates · 55aacf51
      Chris Wilson authored
      Debian Linux have recently upgraded to OpenSSL 1.1.1, which has increased the
      default global security level from 1 to 2. Level 2 does not accept certificates
      with 1024-bit keys, and certificates signed with the SHA1 algorithm,
      considering them to be weak and therefore dangerous. It now requires a minimum
      of 2048-bit keys and SHA256 signatures. (At the time of writing, this change is
      only in Debian Unstable, but it will eventually make its way into a stable
      release.)
      
      This has caused the following issues with Box Backup:
      
      * All existing certificates are signed with the SHA1 algorithm, and can no longer be used (by default); and
      * Some tests use 1024-bit certificates which can no longer be used either.
      
      This change implements the workarounds to enable users to continue to use old certificates,
      for the time being, with a warning:
      
      * Ensure that new installations are secure (stronger certificates generated and required);
      * Ensure that existing installations are not broken, even if they are considered "weak";
      * Warn users if their certificates are (or might be) weak;
      * Allow them to disable this warning if required (not recommended);
      * Provide the option to not override the system-wide security level (which may be higher than 2 in future).
      
      It does this by adding the new SSLSecurityLevel configuration option, fixing
      the supplied scripts to generate stronger SSL certificates from now on,
      replacing the old certificates used in tests, and adding tests for the issue.
      If compiled with OpenSSL 1.0, existing behaviour will not change, and the
      security level cannot be raised. The SSLSecurityLevel option is recognised, but
      has no effect except to show a warning that it is not supported.
      
      More work could be done on making it easier to regenerate certificates, however
      some discussion is needed to come up with a plan that works and helps users.
      
      See https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates for more details.
      55aacf51
  3. 13 May, 2019 7 commits
  4. 09 May, 2019 1 commit
  5. 11 Feb, 2019 1 commit
  6. 03 Feb, 2019 1 commit
  7. 01 Feb, 2019 2 commits
  8. 14 Jan, 2019 1 commit
  9. 13 Jan, 2019 2 commits
  10. 19 Aug, 2018 1 commit
  11. 18 Aug, 2018 1 commit
  12. 10 Aug, 2018 1 commit
  13. 09 Aug, 2018 1 commit
  14. 08 Aug, 2018 2 commits
  15. 01 Apr, 2018 1 commit
  16. 26 Mar, 2018 1 commit
  17. 13 Mar, 2018 1 commit
    • Chris Wilson's avatar
      Merge pull request #26 from boxbackup/fix_raidfile_i386 · 16a11e86
      Chris Wilson authored
      Fix raidfile tests on 32-bit Linux.
      
      A recent fix for Solaris (commit 81e9aa65) broke support for 32-bit Linux (which wasn't spotted at the time, because we didn't have any 32-bit builders). Try a different approach: detect explicitly whether the `lseek` syscall takes a 64-bit integer offset, regardless of the size of `off_t` in user space.
          
      CMake: Add support for M4 CXX flag detection in CMakeLists. Reimplement autoconf tests for 64-bit lseek.
      
      Fix error in t-gdb when no debugger is detected.
      
      Thanks to Reinhard Tartler (our Debian package maintainer) for pointing out the error, and James O'Gorman for setting up i386 builders to ensure that it's fixed and cannot recur.
      16a11e86
  18. 12 Mar, 2018 1 commit
  19. 08 Mar, 2018 3 commits
  20. 04 Mar, 2018 1 commit
  21. 03 Mar, 2018 3 commits
  22. 02 Mar, 2018 1 commit
  23. 27 Feb, 2018 1 commit
  24. 25 Feb, 2018 1 commit
  25. 02 Jan, 2018 1 commit
  26. 01 Jan, 2018 2 commits