Synergy-core: Debian buster no longer supports CA key length of 1024
Operating Systems
Debian Buster
Synergy Version
Up to 1.10.3
Steps to Reproduce
- Run synergy with TLS enabled
- See an error
Expected: Connection to work
Actual:
[2019-09-29T21:11:45] NOTE: started server, waiting for clients
[2019-09-29T21:11:45] ERROR: secure socket error: could not use tls certificate
[2019-09-29T21:11:45] ERROR: openssl error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
Extra Info
See info here: https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
Jnewbon
All 12 comments
A change here should fix this problem
https://github.com/symless/synergy-core/blob/ca35737ab9882334a6c30fd3c154739727e352b9/src/gui/src/SslCertificate.cpp#L28
Jnewbon
on 30 Sep 2019
from memory, you can get around it by editing __/etc/ssl/openssl.conf__ and adding
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1
while not idea... it does get around the issue at hand.. it looks like no commits have happened in about a month... disappointing to say the least
VeNoMouS
on 7 Oct 2019
from memory, you can get around it by editing /etc/ssl/openssl.conf and adding
[system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=1while not idea... it does get around the issue at hand.. it looks like no commits have happened in about a month... disappointing to say the least
In my MxLinux the file was not
/etc/ssl/openssl.conf BUT /etc/ssl/openssl.cnf
And it works.
Thanks a lot for the workaround.
Alvarord
on 17 Nov 2019
Update: Release 1.11.0-stable incorporates this fix.
A release candidate is available that incorporates a fix for this issue
If you find any bugs in the release candidate related to this issue please comment here.
Jnewbon
on 22 Nov 2019
If you find any bugs in the release candidate related to this issue please comment here.
The same error on Linux hostname 5.5.0-2-amd64 #1 SMP Debian 5.5.17-1 (2020-04-15) x86_64 GNU/Linux in Debian testing.
sublimino
on 25 Apr 2020
I can confirm the same issue on recent Ubuntu 20.04 LTS.
Synergy version: 1.11.1.stable~b58+55ec3105
OS version: Ubuntu 20.04 LTS (5.4.0-26-generic #30-Ubuntu)
xmstspider
on 25 Apr 2020
@xmstspider : I had to remove $HOME/.synergy to force renegotiation of the TLS certificate, but afterwards it worked. I am also on Ubuntu 20.04 using 1.11.1-stable-55ec3105.
revprez
on 27 Apr 2020
@revprez that has worked for me by deleting then regenerating the keys:
rm ~/.synergy/SSL/Synergy.pem
Thanks for the help! Perhaps an application-level fix/logentry could be added for this key rotation @Jnewbon
sublimino
on 27 Apr 2020
application-level fix/logentry could be added for this key rotation @sublimino
Your command is the fix for anyone encountering this problem.
It was decided that synergy would prefer to use existing keys rather then overwrite them automatically. New keys are generated with a better key length that fixes this problem
Would you like to make a feature request for it? it is something that would be beneficial, May even a key length selector in the settings window.
Jnewbon
on 27 Apr 2020
@Jnewbon yes please, the feature request would be to renegotiate keys in case of TLS errors I think. I would also appreciate a key length selector, as I'd have mine set as long as possible — or just to default it to the most secure all clients support.
Where should I raise it?
sublimino
on 27 Apr 2020
You can raise it in this issue tracker as an enhancement.
You can generate your own certificate at any key length you like, as synergy dosnt replace the cert, you can replace what synergy made with a 4096bit key and it should work. (Not tested)
Jnewbon
on 27 Apr 2020
Issue has regressed: https://github.com/symless/synergy-core/issues/6671
nbolton
on 28 Apr 2020
Related issues
sangwoo-joh
·
4Comments
jenelcohen
·
3Comments
ColinCreamer
·
5Comments
laur89
·
5Comments
jenelcohen
·
4Comments