#707 StrongCryptoSettings3 test day (F38-F39, preview during F37 timeframe)
Opened 2 months ago by asosedkin. Modified a month ago

Hello, I'd like to organize a Fedora Test day for the upcoming (in F38-F39) tightening of crypto-policies: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3

This one would be slightly unconventional because the change is testable from the existing Fedora 36+ setups and I aim to identify as many workflows it could break as possible, meaning that I'd very much like the users to experiment by trying it on their existing cozy diverse setups riddled with esoteric workflows and not on pristine clean fresh installs.

Broadly speaking, I have three testing strategies to offer:

  1. update-crypto-policies --set TEST-FEDORA39, continue using the system and note what breaks
  2. update-crypto-policies --set FUTURE for those who get bored and want to find more problems
  3. Executing https://copr.fedorainfracloud.org/coprs/asosedkin/sha1sig-tracer tool that reports less issues, but provides the safest, extremely non-invasive approach for spotting a subset of the problematic scenarios since it only logs, not blocks

I don't have a good pre-set guidance of what exactly to test beyond the very basic suggestions of "update dnf metadata", "connect to VPNs if you use any", "fetch your email" and "try to identify something else you use that relies on cryptography".

My time preference is Central European Time working hours.


Metadata Update from @kparal:
- Issue assigned to sumantrom
- Issue set to the milestone: Fedora 38
- Issue tagged with: test days

2 months ago

Could it be retargeted to Milestone: Fedora 37?

I misunderstood the description. The test day of course can be run in F37 cycle, well in advance to the actual change. I'll switch the milestones. @sumantrom will respond here and arrange the test day details with you.

Metadata Update from @kparal:
- Issue set to the milestone: Fedora 37 (was: Fedora 38)

2 months ago

Hey @asosedkin,

Can you help us with a date? I can go ahead and write test cases and set rest of the bits

Mondays are when I'm available the most. Next Monday? Some other Monday?

so 5th works?
I would like to take a stab at the Test Cases. Can you maybe take look at the test cases and then give feedback?
If you confirm, I would like to publish the Test Day news on Fedora Magazine/Community Blog

Sep 5th works for me.

Regarding testing, I suppose I'm proposing a rather unconventional test day,
as the very low-level thing we disable is isolated and quick to test,
(see below), but the goal of the activity is to find the dark corners where it might be used.
Thus the request for the users to come with existing daily driver systems
so that we can quickly catch existing workflows that the change breaks.
Somebody's exotic VPN, somebody's proprietary chat app, somebody's email provider,
an office suite, some git workflow...
- we don't know that's the real world impact of this small change would be,
and we want to find it out.


expected behaviour, based on

https://src.fedoraproject.org/rpms/openssl/c/0967bb59532cb1756daf1614c2290e431d85a336?branch=rawhide

$ sudo update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
$ openssl genrsa -out key.pem
$ openssl genrsa -out key.pem && echo x > infile
$ openssl dgst -sha1 -binary -out sha1 infile
$ openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1  # used to work
$ sudo update-crypto-policies --set TEST-FEDORA39
$ openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1  # no longer works
pkeyutl: Can't set parameter "digest:sha1":
C02539BFDF7F0000:error:1C8000AE:Provider routines:rsa_setup_md:digest not allowed:providers/implementations/signature/rsa_sig.c:311:digest=sha1
$ openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1  # same, used to work, no longer works
pkeyutl: Can't set parameter "digest:sha1":
C0456280A87F0000:error:1C8000AE:Provider routines:rsa_setup_md:digest not allowed:providers/implementations/signature/rsa_sig.c:311:digest=sha1
$ sudo update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT

So, is 5th confirmed? How should I prepare for it?

yes!!
+ this is getting through to Fedora Magazine as well.

OK, freeing up the entire day.

Please provide more instructions with organizing it. I only have a freeform testcase, I've drafted a wiki page (https://fedoraproject.org/wiki/Test_Day:2022-09-05_StrongCryptoSettings3). I can't add a calendar event (https://apps.fedoraproject.org/calendar/QA is a 404 for me), if anything else is needed from me, please tell me.

I have created a test results submission page https://testdays.fedoraproject.org/events/141
but yes, I will refine the page and redirect things to better looking test cases tomorrow

Login to comment on this ticket.

Metadata