[squeak-dev] Fedora 34 squeak - plugin SSL

stes@PANDORA.BE stes at telenet.be
Wed Sep 8 17:49:17 UTC 2021


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Hello Tobias and Squeak community,

The SqueakSSL module test failure issue for Fedora 34 Linux,
indeed probably affects also Debian 11 "Bullseye" and other distros.

In fact I tested SUSE SLES 15 and seems to have similar issue (openssl 1.1.1).

Also I tested RedHat Enterprise Linux 8.4 with openssl 1.1.1-g and similar.

And also different UNIX as Solaris and OpenIndiana also have the issue,
when I select openssl-1.1.1 instead of openssl-1.0.1 there.

The problem also affects "Squeak Classic VM" (subversion) and "OpenSmalltalk"
(cog or stack).

Compiling with --disable-dynamicopenssl doesn't make a difference,
I tested that.

The error remains:

140479940067904:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:ssl/ssl_rsa.c:301:

and all tests fail.

However after research, it turns out that a lot of OpenSSL software has
this problem.  Many packages have been updated / fixed for this.

The SECLEVEL 'crypto policy' of Fedora 34 is 2 which raises the min.length
of 1024bit for RSA keys to 2048 bit.

On Fedora 34 the current openssl was meanwhile upgraded from 1.1.1-k
to 1.1.1-l  (k to l) and the issue remains the same ...

 $ openssl version
 OpenSSL 1.1.1l  FIPS 24 Aug 2021


When I run the tests I notice a .pem file

$ openssl  x509 -in SqueakSSLCert.pem -noout -text | grep 1024
...
        Validity

            Not Before: Jun  6 14:37:20 2011 GMT
            Not After : Jun  5 14:37:20 2012 GMT

...
            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (1024 bit)

It has an expired (?why?) key but most importantly a 1024 bit key.

now I think the policy in Fedora 34 raised this to minimum 2048 bit.

So when I try:

$ openssl req -x509  -nodes -days 365 -newkey rsa:2048 -keyout SqueakSSLCert.pem -out SqueakSSLCert.pem

I create a 2048 bit key.

This seems to have partly some effect :

when I run the tests after the above ,


13 run in 0:00:00:00.458, 3 passes, 0 expected failures, 10 failures, 0 errors, 0 unexpected passes
SqueakSSLTest (13 tests, 458 ms)


So 3 tests pass and 10 fail.

However I think I should somehow update my Smalltalk image to match the
new .pem file ?

Has the Smalltalk image test code for SSL been updated already perhaps,
to use 2048 bit key length please ?

Thanks,
David Stes


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJhOPc4AAoJENdFDkXGicizsWIH/0HSNqrj5d4bt8b+bbvH6Ahs
+H3/3COqWdc4FJmYFzcZK6lxRWZYTkR1a+vk+ouLbNQ6+O7o9qPB0gQkAuK+r4Fs
7KefrD+fQCZ4lmo69DA9Wj2BpqxasIl1mnxFB6EKRbB7WSywpazeBDyCzwfAjR95
t+MwECkEzqXr6tIXRPqPRFlkEgG0sdgr/ciT/6pxh7Gre7wcRksW8jxKDSncNZK0
5g059BCKyF3qX+1pUuHQME3lFO6TQtf4/6S0JhfGp7HA+233LUnKcMut7mRlhPaf
4JyuzhdUkAW1+aZ3jk8++OoyKgqEA6nXxmYLocTz3AmjP1h4MfdUSfGozCBr6UU=
=NNdN
-----END PGP SIGNATURE-----


More information about the Squeak-dev mailing list