Hello, I'd like to organize a Fedora Test day for the upcoming (in F38-F39) tightening of crypto-policies: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3
This one would be slightly unconventional because the change is testable from the existing Fedora 36+ setups and I aim to identify as many workflows it could break as possible, meaning that I'd very much like the users to experiment by trying it on their existing cozy diverse setups riddled with esoteric workflows and not on pristine clean fresh installs.
Broadly speaking, I have three testing strategies to offer:
update-crypto-policies --set TEST-FEDORA39
update-crypto-policies --set FUTURE
I don't have a good pre-set guidance of what exactly to test beyond the very basic suggestions of "update dnf metadata", "connect to VPNs if you use any", "fetch your email" and "try to identify something else you use that relies on cryptography".
My time preference is Central European Time working hours.
Metadata Update from @kparal: - Issue assigned to sumantrom - Issue set to the milestone: Fedora 38 - Issue tagged with: test days
Could it be retargeted to Milestone: Fedora 37?
I misunderstood the description. The test day of course can be run in F37 cycle, well in advance to the actual change. I'll switch the milestones. @sumantrom will respond here and arrange the test day details with you.
Metadata Update from @kparal: - Issue set to the milestone: Fedora 37 (was: Fedora 38)
Hey @asosedkin,
Can you help us with a date? I can go ahead and write test cases and set rest of the bits
Mondays are when I'm available the most. Next Monday? Some other Monday?
so 5th works? I would like to take a stab at the Test Cases. Can you maybe take look at the test cases and then give feedback? If you confirm, I would like to publish the Test Day news on Fedora Magazine/Community Blog
Sep 5th works for me.
Regarding testing, I suppose I'm proposing a rather unconventional test day, as the very low-level thing we disable is isolated and quick to test, (see below), but the goal of the activity is to find the dark corners where it might be used. Thus the request for the users to come with existing daily driver systems so that we can quickly catch existing workflows that the change breaks. Somebody's exotic VPN, somebody's proprietary chat app, somebody's email provider, an office suite, some git workflow... - we don't know that's the real world impact of this small change would be, and we want to find it out.
https://src.fedoraproject.org/rpms/openssl/c/0967bb59532cb1756daf1614c2290e431d85a336?branch=rawhide
$ sudo update-crypto-policies --set DEFAULT Setting system policy to DEFAULT $ openssl genrsa -out key.pem $ openssl genrsa -out key.pem && echo x > infile $ openssl dgst -sha1 -binary -out sha1 infile $ openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1 # used to work $ sudo update-crypto-policies --set TEST-FEDORA39 $ openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1 # no longer works pkeyutl: Can't set parameter "digest:sha1": C02539BFDF7F0000:error:1C8000AE:Provider routines:rsa_setup_md:digest not allowed:providers/implementations/signature/rsa_sig.c:311:digest=sha1 $ openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1 # same, used to work, no longer works pkeyutl: Can't set parameter "digest:sha1": C0456280A87F0000:error:1C8000AE:Provider routines:rsa_setup_md:digest not allowed:providers/implementations/signature/rsa_sig.c:311:digest=sha1 $ sudo update-crypto-policies --set DEFAULT Setting system policy to DEFAULT
So, is 5th confirmed? How should I prepare for it?
yes!! + this is getting through to Fedora Magazine as well.
OK, freeing up the entire day.
Please provide more instructions with organizing it. I only have a freeform testcase, I've drafted a wiki page (https://fedoraproject.org/wiki/Test_Day:2022-09-05_StrongCryptoSettings3). I can't add a calendar event (https://apps.fedoraproject.org/calendar/QA is a 404 for me), if anything else is needed from me, please tell me.
https://calendar.fedoraproject.org/meeting/10320/
I have created a test results submission page https://testdays.fedoraproject.org/events/141 but yes, I will refine the page and redirect things to better looking test cases tomorrow
This went ahead with one tester, and the results are in the wiki. Let's close the ticket. Thanks!
Metadata Update from @adamwill: - Issue close_status updated to: Fixed - Issue set to the milestone: None (was: Fedora 37) - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.