• Bug#1100729: systemd-journal-remote does not support TLS due to GnuTLS

    From Jarl Gullberg@21:1/5 to All on Mon Mar 17 23:00:01 2025
    Package: systemd-journal-remote
    Version: 257.4-3
    Severity: normal
    X-Debbugs-Cc: jarl.gullberg@algiz.nu

    Back in 251.1-1, GnuTLS was replaced with OpenSSL as upstream had begun
    phasing out the use of GnuTLS.
    This phase-out is more or less complete, and the only remaining use of
    GnuTLS is in systemd-journal-remote as of systemd 257 (possibly
    earlier). However, systemd-journal-remote still relies on GnuTLS for its
    HTTP/S support and likely will continue to do so for the forseeable
    future due to its dependence on libmicrohttpd.

    As the rest of systemd has transitioned to exclusively using OpenSSL, we
    should be able to reenable GnuTLS for systemd so that
    systemd-journal-remote once again can operate in a secure manner with encryption and
    certificate validation. There are no other components of systemd that
    would be affected by bringing GnuTLS back as a build dependency,
    limiting impact to systemd-journal-remote only.

    As it currently stands, systemd-journal-remote is far less useful than
    it could be due to the lack of this core security feature. Untrusted and unencrypted log entries moving through a secure system violates many non-repudiation requirements and unfortunately makes
    systemd-journal-remote unfit for purpose when operating in HTTP-only mode.

    I also noticed that rsyslog was briefly mentioned in the trixie release
    notes as no longer being automatically installed (though that seems to
    have been removed now). Should that still be the case at release, having
    a TLS-enabled systemd-journal-remote would be an appealing alternative.

    P.S. please ignore my system information, reporting this via an Ubuntu
    machine and it's not relevant to the bug report.


    -- System Information:
    Debian Release: trixie/sid
    APT prefers noble-updates
    APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500,
    'noble'), (100, 'noble-backports')
    Architecture: amd64 (x86_64)
    Foreign Architectures: i386

    Kernel: Linux 6.8.0-55-generic (SMP w/4 CPU threads; PREEMPT)
    Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
    Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
    LANGUAGE=en_US
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)

    Versions of packages systemd-journal-remote depends on:
    ii libc6 2.39-0ubuntu8.4
    ii libcurl4t64 8.5.0-2ubuntu10.6
    ii libmicrohttpd12t64 1.0.0-2.1ubuntu2
    ii libsystemd-shared 255.4-1ubuntu8.5
    ii systemd 255.4-1ubuntu8.5

    systemd-journal-remote recommends no packages.

    systemd-journal-remote suggests no packages.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Luca Boccassi@21:1/5 to jarl.gullberg@algiz.nu on Mon Mar 17 23:10:02 2025
    Control: tags -1 wontfix
    Control: close -1

    On Mon, 17 Mar 2025 22:42:24 +0100 Jarl Gullberg
    <jarl.gullberg@algiz.nu> wrote:

    Package: systemd-journal-remote
    Version: 257.4-3
    Severity: normal
    X-Debbugs-Cc: jarl.gullberg@algiz.nu

    Back in 251.1-1, GnuTLS was replaced with OpenSSL as upstream had
    begun
    phasing out the use of GnuTLS.
    This phase-out is more or less complete, and the only remaining use
    of
    GnuTLS is in systemd-journal-remote as of systemd 257 (possibly
    earlier). However, systemd-journal-remote still relies on GnuTLS for
    its
    HTTP/S support and likely will continue to do so for the forseeable
    future due to its dependence on libmicrohttpd.

    Sorry but we don't want to pull in multiple SSL stacks. The best thing
    to do if you are interested in this functionality would be to replace
    the use of microhttpd with something else that uses OpenSSL, upstream.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jarl Gullberg@21:1/5 to bluca@debian.org on Tue Mar 18 01:10:01 2025
    On Mon, 17 Mar 2025 22:07:13 +0000 Luca Boccassi <bluca@debian.org> wrote:

    Sorry but we don't want to pull in multiple SSL stacks. The best thing
    to do if you are interested in this functionality would be to replace
    the use of microhttpd with something else that uses OpenSSL, upstream.



    I completely understand the reasoning for that, and I ultimately agree
    that we shouldn't be using multiple SSL stacks if we can avoid it.

    However, we're already pulling in both OpenSSL and GnuTLS through a
    transitive dependency because libmicrohttpd links with it. The only
    difference, package-wise, would be that systemd-journal-remote gains an explicit dependency on it and uses the available functionality.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)