[squeak-dev] Fedora 34 squeak - plugin SSL
stes at telenet.be
Wed Sep 8 17:49:17 UTC 2021
-----BEGIN PGP SIGNED MESSAGE-----
Hello Tobias and Squeak community,
The SqueakSSL module test failure issue for Fedora 34 Linux,
indeed probably affects also Debian 11 "Bullseye" and other distros.
In fact I tested SUSE SLES 15 and seems to have similar issue (openssl 1.1.1).
Also I tested RedHat Enterprise Linux 8.4 with openssl 1.1.1-g and similar.
And also different UNIX as Solaris and OpenIndiana also have the issue,
when I select openssl-1.1.1 instead of openssl-1.0.1 there.
The problem also affects "Squeak Classic VM" (subversion) and "OpenSmalltalk"
(cog or stack).
Compiling with --disable-dynamicopenssl doesn't make a difference,
I tested that.
The error remains:
140479940067904:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:ssl/ssl_rsa.c:301:
and all tests fail.
However after research, it turns out that a lot of OpenSSL software has
this problem. Many packages have been updated / fixed for this.
The SECLEVEL 'crypto policy' of Fedora 34 is 2 which raises the min.length
of 1024bit for RSA keys to 2048 bit.
On Fedora 34 the current openssl was meanwhile upgraded from 1.1.1-k
to 1.1.1-l (k to l) and the issue remains the same ...
$ openssl version
OpenSSL 1.1.1l FIPS 24 Aug 2021
When I run the tests I notice a .pem file
$ openssl x509 -in SqueakSSLCert.pem -noout -text | grep 1024
Not Before: Jun 6 14:37:20 2011 GMT
Not After : Jun 5 14:37:20 2012 GMT
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
It has an expired (?why?) key but most importantly a 1024 bit key.
now I think the policy in Fedora 34 raised this to minimum 2048 bit.
So when I try:
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout SqueakSSLCert.pem -out SqueakSSLCert.pem
I create a 2048 bit key.
This seems to have partly some effect :
when I run the tests after the above ,
13 run in 0:00:00:00.458, 3 passes, 0 expected failures, 10 failures, 0 errors, 0 unexpected passes
SqueakSSLTest (13 tests, 458 ms)
So 3 tests pass and 10 fail.
However I think I should somehow update my Smalltalk image to match the
new .pem file ?
Has the Smalltalk image test code for SSL been updated already perhaps,
to use 2048 bit key length please ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Squeak-dev