clone 927435 -1 reassign 927435 unbound retitle 927435 unbound: Small control keys makes it fail to start severity 927435 important reassign -1 release-notes retitle -1 release-notes: Document how to handle openssls new defaults thanks
John Eikenberry: > Package: upgrade-reports > Severity: normal > > After upgrading to buster, unbound-control would fail to run with this error.. > > error: Error setting up SSL_CTX client cert > 139765110753216:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key > too small:../ssl/ssl_rsa.c:310: > > To fix this I had to regenerate the certs and keys by removing the old ones > and > running unbound-control-setup, then restarting unbound. This fixed the issue. > > $ cd /etc/unbound/ > $ sudo rm *.key *.pem > $ sudo unbound-control-setup > $ sudo systemctl restart unbound > > Note that with unbound-control broken, that broke `systemctl reload unbound` > as > it depends on unbound-control. > > [...] > Hi John, Thanks for filing this bug. I have split it into two bugs: * One for unbound in case there is something in unbound that need to change (e.g. key generation instructions or/and a NEWS entry to notify upgraders of potential issues and how to resolve it) * One for the release-notes because the stricter defaults in OpenSSL affects multiple programs (I have seen similar issues from e.g. wpa_supplicant). At this point, we should probably document the knobs involved[1]. Thanks, ~Niels [1] I believe the alternative is to update /etc/ssl/openssl.cnf, finding """ [system_default_sect] ... CipherString = DEFAULT@SECLEVEL=2 """ And change that SECLEVEL=2 to SECLEVEL=1. Obviously, this has system-wide effects and reduces the minimum key size for all things that do not set their own CipherString (e.g. webservers have configuration to do that and wpa_supplicant overrides the new default as well as most WiFi have small keys).
