From Fedora Project Wiki


StrongCryptoSettings3 Test Day

Date 2022-09-05
Time 9:00 - 20:00 CEST

Website QA/Test Days
IRC #fedora-test-day (webirc)
Mailing list test


Can't make the date?
If you come to this page before or after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find at Bugzilla, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

What to test?[edit]

This Test Day will focus on the upcoming (in F38-F39) tightening of crypto-policies: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3

Who's available[edit]

The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:

You can chat with us on IRC. See the infobox on top of the page to learn the right IRC channel.

Prerequisite for Test Day[edit]

  • Your existing, daily driver Fedora 36+ setup.

This one would be slightly unconventional because the change is testable from the existing Fedora 36+ setups and I aim to identify as many workflows it could break as possible, meaning that I'd very much like the users to experiment by trying it on their existing cozy diverse setups riddled with esoteric workflows and not on pristine clean fresh installs.

How to test?[edit]

Broadly speaking, I have three testing strategies to offer:

1. update-crypto-policies --set TEST-FEDORA39, continue using the system and note what breaks

2. update-crypto-policies --set FUTURE for those who get bored and want to discover more problems

3. Executing https://copr.fedorainfracloud.org/coprs/asosedkin/sha1sig-tracer tool that reports less issues, but provides the safest, extremely non-invasive approach for spotting a subset of the problematic scenarios since it only logs, not blocks SHA-1 signature usage in openssl

I don't have a good pre-set guidance of what exactly to test beyond the very basic suggestions of "update dnf metadata", "connect to VPNs if you use any", "fetch your email" and "try to identify something else you use that relies on cryptography". The most walked roads should probably be clear already, it's your imagination and exotic setups that I'm after.


Reporting bugs[edit]

All bugs should be reported into Bugzilla, against the component that relies on to-be-deprecated cryptographic operations. It's likely that you'll be unsure about what exactly would break, so let's investigate together on IRC (see instructions above).

After we confirm that it's indeed a bug triggered by the new change (by switching back and forth between policies and ensuring it's not present under DEFAULT), please file a ticket with a title starting with StrongCryptoSettings3: and link to https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning2.

Test Results[edit]

Basic Test[edit]

User Profile Basic References
remyabel TEST-FEDORA39
Pass pass
[1]
  1. No regressions. Things tested: - ssh with DynamicPort (tunnelling) - tor, including torsocks and tor browser - dnscrypt-proxy with systemd-resolved - jabber with TLS - weechat with TLS and proxy - git (which uses sha1) - evolution for mail - openssl s_client - secureboot - Firefox - dnf check, check-update
remyabel TEST-FEDORA39
Fail fail
[1]
  1. Quite a number of packages fail verification: https://rpa.st/2NSCTPY5UWFC6J56WSOZI7ONHQ
remyabel update-crypto-policies --set TEST-FEDORA39
Fail fail
[1]
  1. RHBZ #2124349