Home - Waterfall Grid T-Grid Console Builders Recent Builds Buildslaves Changesources - JSON API - About

Console View


Tags: all-branches master
Legend:   Passed Failed Warnings Failed Again Running Exception Offline No data

all-branches master
Chris Wilson
test_bbackupd_config_script: move temp files into testfiles/tmp

This makes it easier to clean up all outputs of the test, making it rerunnable,
by just deleting the entire tmp directory.
Chris Wilson
test/bbackupd: add a test for bbackupd-config and bbstored-config scripts

Test creating new clients and servers, signing their certificates and running a
test backup.

(cherry picked from commit 7ac15a016360fd03eb0d7dddd4c1528069486ab1)
Chris Wilson
SSL securitylevel WIP
Chris Wilson
Configuration: add a variant of GetKeyValueInt that has a default value

This will be used for the new SSLSecurityLevel option.
Chris Wilson
SSL securitylevel WIP
Chris Wilson
SSL securitylevel WIP
Chris Wilson
Test library: make old_failure_count a private variable
Chris Wilson
SSL securitylevel WIP
Chris Wilson
SSL securitylevel WIP
Chris Wilson
BackupStoreCheck: fix failure to compare refcounts of last object ID

Fix test that would randomly detect an extra change to the refcount of an
object, depending if the test broke the object with the highest unused object
ID (which depended on upload order).

Add ability to ignore changes to a specific object ID, and use it to ignore
changes to any newly-created lost+found directory, as these are expected.

(cherry picked from commit b911cb81ba6ee2cb5117947d00e9631420543c14)
(cherry picked from commit b416481815e35a78e9bcb3654c4ae1de4b61c7a6)
Chris Wilson
OpenSSL: detect SSL_CTX_set_security_level and friends

Needed to enable the new SSLSecurityLevel option only when building with a
recent enough OpenSSL that supports it.
Chris Wilson
SSL securitylevel WIP
  • FreeBSD 11.1 amd64 all-branches: cleanup _test failed -  stdio
Chris Wilson
Fix Debian bug 907135: weak certificates

Debian Linux have recently upgraded to OpenSSL 1.1.1, which has increased the
default global security level from 1 to 2. Level 2 does not accept certificates
with 1024-bit keys, and certificates signed with the SHA1 algorithm,
considering them to be weak and therefore dangerous. It now requires a minimum
of 2048-bit keys and SHA256 signatures. (At the time of writing, this change is
only in Debian Unstable, but it will eventually make its way into a stable
release.)

This has caused the following issues with Box Backup:

* All existing certificates are signed with the SHA1 algorithm, and can no longer be used (by default); and
* Some tests use 1024-bit certificates which can no longer be used either.

This change implements the workarounds to enable users to continue to use old certificates,
for the time being, with a warning:

* Ensure that new installations are secure (stronger certificates generated and required);
* Ensure that existing installations are not broken, even if they are considered "weak";
* Warn users if their certificates are (or might be) weak;
* Allow them to disable this warning if required (not recommended);
* Provide the option to not override the system-wide security level (which may be higher than 2 in future).

It does this by adding the new SSLSecurityLevel configuration option, fixing
the supplied scripts to generate stronger SSL certificates from now on,
replacing the old certificates used in tests, and adding tests for the issue.
If compiled with OpenSSL 1.0, existing behaviour will not change, and the
security level cannot be raised. The SSLSecurityLevel option is recognised, but
has no effect except to show a warning that it is not supported.

More work could be done on making it easier to regenerate certificates, however
some discussion is needed to come up with a plan that works and helps users.

See https://www.boxbackup.org/wiki/WeakSSLCertificates for more details.
Chris Wilson
BackupStoreCheck: fix failure to compare refcounts of last object ID

Fix test that would randomly detect an extra change to the refcount of an
object, depending if the test broke the object with the highest unused object
ID (which depended on upload order).

Add ability to ignore changes to a specific object ID, and use it to ignore
changes to any newly-created lost+found directory, as these are expected.

(cherry picked from commit b911cb81ba6ee2cb5117947d00e9631420543c14)
Chris Wilson
Switch PCRE back to an official release

(cherry picked from commit e4d488d1a07bf1db32e96a9526d1fd1ea54f0967)
(cherry picked from commit c3f54004ab6aca059ec259b2b310b0bb3161e191)
(cherry picked from commit 1f87f198b4a8e56eef0b28da4685e1c9084883df)
Chris Wilson
SSL securitylevel WIP
Chris Wilson
ServerTLS: remove erroneous comment, add self-documenting named constant
Chris Wilson
SSL securitylevel WIP
Chris Wilson
ServerStream: handle exceptions without killing server on Windows
Chris Wilson
test/bbackupd: add a test for bbackupd-config and bbstored-config scripts

Test creating new clients and servers, signing their certificates and running a
test backup.

(cherry picked from commit 7ac15a016360fd03eb0d7dddd4c1528069486ab1)
Chris Wilson
Upgrade PCRE to 8.42, and switch to a new official site
Chris Wilson
SSL securitylevel WIP
Chris Wilson
SSL securitylevel WIP
Chris Wilson
test/bbackupd: add a test for bbackupd-config and bbstored-config scripts

Test creating new clients and servers, signing their certificates and running a
test backup.

(cherry picked from commit 7ac15a016360fd03eb0d7dddd4c1528069486ab1)
Chris Wilson
CMake buildsystem: configure files after all variables are known
  • FreeBSD 11.1 amd64 all-branches: cleanup _test failed -  stdio
Chris Wilson
SSL securitylevel WIP
Chris Wilson
test/bbackupd: add a test for bbackupd-config and bbstored-config scripts

Test creating new clients and servers, signing their certificates and running a
test backup.

(cherry picked from commit 7ac15a016360fd03eb0d7dddd4c1528069486ab1)
  • CentOS 7 amd64 all-branches: updating -  stdio
  • SmartOS all-branches: updating -  stdio
  • Ubuntu 16.04 amd64 all-branches: updating -  stdio
Chris Wilson
Fix Debian bug 907135: weak certificates

Debian Linux have recently upgraded to OpenSSL 1.1.1, which has increased the
default global security level from 1 to 2. Level 2 does not accept certificates
with 1024-bit keys, and certificates signed with the SHA1 algorithm,
considering them to be weak and therefore dangerous. It now requires a minimum
of 2048-bit keys and SHA256 signatures. (At the time of writing, this change is
only in Debian Unstable, but it will eventually make its way into a stable
release.)

This has caused the following issues with Box Backup:

* All existing certificates are signed with the SHA1 algorithm, and can no longer be used (by default); and
* Some tests use 1024-bit certificates which can no longer be used either.

This change implements the workarounds to enable users to continue to use old certificates,
for the time being, with a warning:

* Ensure that new installations are secure (stronger certificates generated and required);
* Ensure that existing installations are not broken, even if they are considered "weak";
* Warn users if their certificates are (or might be) weak;
* Allow them to disable this warning if required (not recommended);
* Provide the option to not override the system-wide security level (which may be higher than 2 in future).

It does this by adding the new SSLSecurityLevel configuration option, fixing
the supplied scripts to generate stronger SSL certificates from now on,
replacing the old certificates used in tests, and adding tests for the issue.
If compiled with OpenSSL 1.0, existing behaviour will not change, and the
security level cannot be raised. The SSLSecurityLevel option is recognised, but
has no effect except to show a warning that it is not supported.

More work could be done on making it easier to regenerate certificates, however
some discussion is needed to come up with a plan that works and helps users.

See https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates for more details.
Chris Wilson
SSL securitylevel WIP
  • SmartOS all-branches: cleanup _test failed -  stdio
Chris Wilson
Move LaunchServer and WaitForServerStartup to lib/server/ServerControl.cpp
Chris Wilson
SSL securitylevel WIP
  • CentOS 6 amd64 all-branches: cleanup _test failed -  stdio
  • Debian Stretch LibSSL 1.0 amd64 all-branches: cleanup _test failed -  stdio
  • Debian Stretch LibSSL 1.0 i386 all-branches: cleanup _test failed -  stdio
  • Ubuntu 16.04 amd64 all-branches: cleanup _test failed -  stdio
  • macOS 10.12 all-branches: cleanup _test failed -  stdio
Chris Wilson
SSL securitylevel WIP
Chris Wilson
SSL securitylevel WIP
Chris Wilson
Test setup: remove removal of files that are no longer created by tests
Chris Wilson
Move LaunchServer and WaitForServerStartup to lib/server/ServerControl.cpp
Chris Wilson
SSL securitylevel WIP
Chris Wilson
SSL securitylevel WIP
  • CentOS 6 amd64 all-branches: cleanup _test failed -  stdio
  • CentOS 7 amd64 all-branches: cleanup _test failed -  stdio
  • Debian Jessie amd64 all-branches: cleanup _test failed -  stdio
  • Debian Stretch LibSSL 1.0 amd64 all-branches: cleanup _test failed -  stdio
  • Debian Stretch LibSSL 1.0 i386 all-branches: cleanup _test failed -  stdio
  • FreeBSD 10.3 amd64 all-branches: updating -  stdio
  • FreeBSD 11.1 amd64 all-branches: cleanup _test failed -  stdio
  • SmartOS all-branches: cleanup _test failed -  stdio
  • Ubuntu 14.04 amd64 all-branches: cleanup _test failed -  stdio
  • Ubuntu 16.04 amd64 all-branches: cleanup _test failed -  stdio
  • macOS 10.12 all-branches: cleanup _test failed -  stdio
Chris Wilson
SocketStreamTLS/TLSContext: improve SSL error messages
Chris Wilson
Merge pull request #36 from boxbackup/fix_debian_907135_ssl_key_size_merge

Debian Linux have recently upgraded to OpenSSL 1.1.1, which has increased the default global security level from 1 to 2. Level 2 does not accept certificates with 1024-bit keys, and certificates signed with the SHA1 algorithm, considering them to be weak and therefore dangerous. It now requires a minimum of 2048-bit keys and SHA256 signatures. (At the time of writing, this change is only in Debian Unstable, but it will eventually make its way into a stable release.)

This has caused the following issues with Box Backup:

* All existing certificates are signed with the SHA1 algorithm, and can no longer be used (by default); and
* Some tests use 1024-bit certificates which can no longer be used either.

This change implements the workarounds to enable users to continue to use old certificates,
for the time being, with a warning:

* Ensure that new installations are secure (stronger certificates generated and required);
* Ensure that existing installations are not broken, even if they are considered "weak";
* Warn users if their certificates are (or might be) weak;
* Allow them to disable this warning if required (not recommended);
* Provide the option to not override the system-wide security level (which may be higher than 2 in future).

It does this by adding the new SSLSecurityLevel configuration option, fixing the supplied scripts to generate stronger SSL certificates from now on, replacing the old certificates used in tests, and adding tests for the issue. If compiled with OpenSSL 1.0, existing behaviour will not change, and the security level cannot be raised. The SSLSecurityLevel option is recognised, but has no effect except to show a warning that it is not supported.

More work could be done on making it easier to regenerate certificates, however some discussion is needed to come up with a plan that works and helps users.

See https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates for more details.
Chris Wilson
Merge branch 'fix_debian_907135_ssl_key_size' of github.com:boxbackup/boxbackup into fix_debian_907135_ssl_key_size
  • SmartOS all-branches: cleanup _test failed -  stdio