7755 – Our GnuTLS is out of date

Bug 7755 - Our GnuTLS is out of date

Summary: Our GnuTLS is out of date

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Build system (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.14.0
Assignee:	Pierre Ossman

URL:
Keywords:	prosaic, samuel_tester

Depends on:
Blocks:

Reported:	2021-08-27 08:45 CEST by Pierre Ossman
Modified:	2021-09-10 18:32 CEST (History)
CC List:	1 user (show)

See Also:	7529 7757
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio

2021-08-27 08:45:43 CEST

We are currently using GnuTLS 3.6.14, whilst 3.6.16 is the current stable version. We should upgrade it and its dependencies to make sure we have all security and bug fixes.

Comment 1 Pierre Ossman cendio

2021-08-30 16:16:49 CEST

All of GnuTLS' dependencies also need an upgrade, i.e. libtasn1, nettle and gmp.

Most of them are fine, however nettle is causing some headache. It has added support for SHA-NI, i.e. CPU acceleration for SHA hashing. This works fine on every platform except macOS, since our assembler there is too old to know about SHA-NI:

> ...
> sha1-compress.asm:80:no such instruction: `sha1rnds4 $0, %xmm6,%xmm4'
> sha1-compress.asm:81:no such instruction: `sha1msg1 %xmm1, %xmm0'
> sha1-compress.asm:86:no such instruction: `sha1nexte %xmm2, %xmm5'
> ...
> sha256-compress.asm:98:no such instruction: `sha256rnds2 %xmm6, %xmm5'
> sha256-compress.asm:99:no such instruction: `sha256msg1 %xmm2, %xmm1'
> ...

Upgrading it is a pain, since there is no supported assembler for macOS that runs on Linux. So let's see if we can disable this new acceleration.

Comment 2 Pierre Ossman cendio

2021-08-30 16:47:55 CEST

These CVE:s are fixed as of this upgrade:

* CVE-2020-24659: Client can crash server, no real impact in ThinLinc as each connection is an independent process

* CVE-2021-20231, CVE-2021-20232: Only relevant for clients, and we only use GnuTLS for servers

Comment 3 Pierre Ossman cendio

2021-09-01 08:44:02 CEST

Upgraded all packages and tested:

 * Smart card certificates can be read by tlclient
 * Web Access works from:
   - Firefox 91 on Fedora 34
   - Edge 92 on Windows 10
   - Chrome 92 on Windows 10
   - Safari 14 on macOS 11
   - Chrome 92 on Android
   - Safari on iOS 14.7.1

No problems seen so everything seems to be working fine.

Comment 5 Samuel Mannehed cendio

2021-09-10 18:32:26 CEST

I have verified that our jenkins server has updated to these packages:

cendio-build-gnutls-*-3.6.16-1
cendio-build-nettle-*-3.7.3-1
cendio-build-libtasn1-*-4.17.0-1

I then used server build 2268 to test on Ubuntu 20.10:

 * Login to Web Access and basic usage:
   ✓ Epiphany 40.1 on Fedora 34
   ✓ Firefox 90 on Fedora 34
   ✓ Chrome 92 on Fedora 34
   ✓ IE on Windows 10
 * Login to Web Admin and navigating between pages:
   ✓ Epiphany 40.1 on Fedora 34
   ✓ Firefox 90 on Fedora 34
   ✓ Chrome 92 on Fedora 34
   ✓ IE on Windows 10

No errors were seen in tlwebaccess.log and no complaints in the browser consoles.

In tladm.log I saw a DeprecationWarning from Cheetah (unrelated) and one instance of:

> ERROR tlwebadm[52410]: [::ffff:10.47.4.80] Request timed out: timeout('client exceeded maximum timeout')

I could however not reproduce the time out, and since the connection worked fine otherwise I guess it's not worth looking further into.

And client build 2188 to test on Fedora 34:

 ✓ Smart card certificates display properly in tlclient login window when card is inserted

Note You need to log in before you can comment on or make changes to this bug.