Bug 7755 - Our GnuTLS is out of date
Summary: Our GnuTLS is out of date
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Build system (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.14.0
Assignee: Pierre Ossman
URL:
Keywords: prosaic, samuel_tester
Depends on:
Blocks:
 
Reported: 2021-08-27 08:45 CEST by Pierre Ossman
Modified: 2021-09-10 18:32 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description Pierre Ossman cendio 2021-08-27 08:45:43 CEST
We are currently using GnuTLS 3.6.14, whilst 3.6.16 is the current stable version. We should upgrade it and its dependencies to make sure we have all security and bug fixes.
Comment 1 Pierre Ossman cendio 2021-08-30 16:16:49 CEST
All of GnuTLS' dependencies also need an upgrade, i.e. libtasn1, nettle and gmp.

Most of them are fine, however nettle is causing some headache. It has added support for SHA-NI, i.e. CPU acceleration for SHA hashing. This works fine on every platform except macOS, since our assembler there is too old to know about SHA-NI:

> ...
> sha1-compress.asm:80:no such instruction: `sha1rnds4 $0, %xmm6,%xmm4'
> sha1-compress.asm:81:no such instruction: `sha1msg1 %xmm1, %xmm0'
> sha1-compress.asm:86:no such instruction: `sha1nexte %xmm2, %xmm5'
> ...
> sha256-compress.asm:98:no such instruction: `sha256rnds2 %xmm6, %xmm5'
> sha256-compress.asm:99:no such instruction: `sha256msg1 %xmm2, %xmm1'
> ...

Upgrading it is a pain, since there is no supported assembler for macOS that runs on Linux. So let's see if we can disable this new acceleration.
Comment 2 Pierre Ossman cendio 2021-08-30 16:47:55 CEST
These CVE:s are fixed as of this upgrade:

* CVE-2020-24659: Client can crash server, no real impact in ThinLinc as each connection is an independent process

* CVE-2021-20231, CVE-2021-20232: Only relevant for clients, and we only use GnuTLS for servers
Comment 3 Pierre Ossman cendio 2021-09-01 08:44:02 CEST
Upgraded all packages and tested:

 * Smart card certificates can be read by tlclient
 * Web Access works from:
   - Firefox 91 on Fedora 34
   - Edge 92 on Windows 10
   - Chrome 92 on Windows 10
   - Safari 14 on macOS 11
   - Chrome 92 on Android
   - Safari on iOS 14.7.1

No problems seen so everything seems to be working fine.
Comment 5 Samuel Mannehed cendio 2021-09-10 18:32:26 CEST
I have verified that our jenkins server has updated to these packages:

cendio-build-gnutls-*-3.6.16-1
cendio-build-nettle-*-3.7.3-1
cendio-build-libtasn1-*-4.17.0-1

I then used server build 2268 to test on Ubuntu 20.10:

 * Login to Web Access and basic usage:
   ✓ Epiphany 40.1 on Fedora 34
   ✓ Firefox 90 on Fedora 34
   ✓ Chrome 92 on Fedora 34
   ✓ IE on Windows 10
 * Login to Web Admin and navigating between pages:
   ✓ Epiphany 40.1 on Fedora 34
   ✓ Firefox 90 on Fedora 34
   ✓ Chrome 92 on Fedora 34
   ✓ IE on Windows 10

No errors were seen in tlwebaccess.log and no complaints in the browser consoles.

In tladm.log I saw a DeprecationWarning from Cheetah (unrelated) and one instance of:

> ERROR tlwebadm[52410]: [::ffff:10.47.4.80] Request timed out: timeout('client exceeded maximum timeout')

I could however not reproduce the time out, and since the connection worked fine otherwise I guess it's not worth looking further into.

And client build 2188 to test on Fedora 34:

 ✓ Smart card certificates display properly in tlclient login window when card is inserted

Note You need to log in before you can comment on or make changes to this bug.