Hi, Craig. Thanks for the reply. When I issue the command ‘snmpwalk --help’ on a recent build of bullseye, with out of the box net-snmp, the below line is found in the help:
-x PROTOCOL set privacy protocol (DES|AES) Indicates that the AES-192 and AES-256 options are not available, at least in the command line utilities. Attached please find the patch that I apply prior to building net-snmp in order to enable this functionality. The version in the report is not a valid Debian version because I have "made up" my own version to include this change and differentiate it in my local apt repository from the out- of-the-box version which does not include this change. After applying the patch and building/ installing the package, the below line appears in the output: -x PROTOCOL set privacy protocol (DES|AES|AES-192|AES-256) I am not sure I have made the patch the right way. I may also be missing something. Please let me know if there is anything else I can do to help. Thanks Owen Evans From: Craig Small <csm...@debian.org> Sent: Monday, October 26, 2020 7:19 PM To: Evans, Owen <oev...@sciencelogic.com>; 972...@bugs.debian.org Subject: Re: [Pkg-net-snmp-devel] Bug#972985: snmp: Blumenthal AES encryption should be enabled by default [EXTERNAL EMAIL] On Tue, 27 Oct 2020 at 07:42, Owen Evans <mailto:oev...@sciencelogic.com> wrote: Package: snmp Version: 5.9+dfsg-3-silo This isn't a valid Debian version. Blumenthal AES, in spite of being a 'draft' part of the SNMP Standard, is becoming widely implemented by many vendors. It is the main way to have strong encryption in connection with SNMPv3. Debian should include the --enable-blumenthal-aes option added around line 53 of debian/rules so that it is used when invoking the ./configure script from the upstream source package. Are you sure the Debian packages don't already have this enabled? Also, that flag doesn't exist in 5.9 of net-snmp ./configure --enable-blumenthal-aes configure: WARNING: unrecognized options: --enable-blumenthal-aes The draft standard seems to be all about enabling AES, or as the draft states: 1)Provide a set of new privacy protocols for USM based on the Advanced Encryption Standard. Output of the build system shows AES is actually there: Crypto support from: crypto Authentication support: MD5 SHA1 SHA224 SHA256 SHA384 SHA512 Encryption support: DES AES AES128 AES192 AES192C AES256 AES256C So I'm a bit confused about what is not enabled and why your configure option works. The --with-openssl and having openssl 0.9.7 or later will do it. - Craig
silo.patch
Description: silo.patch
