Package: python3-trustme Version: 0.4.0-3 Severity: important Tags: patch Debian changed the default key size requirement to 2048 bits, thus keys generated with trustme no longer work.
diff --git a/trustme/__init__.py b/trustme/__init__.py index 7f2b37a..d0c50a5 100644 --- a/trustme/__init__.py +++ b/trustme/__init__.py @@ -33,7 +33,12 @@ except NameError: # On my laptop, making a CA + server certificate using 1024 bit keys takes ~40 # ms, and using 4096 bit keys takes ~2 seconds. We want tests to run in 40 ms, # not 2 seconds. -_KEY_SIZE = 1024 +# +# However, Debian changed the default security level to 2 in openssl +# 1.1.1~~pre9-1 (August 2018), which requires a minimum key size of 2048 bit or +# larger for RSA and DHE keys. To avoid test failures on newer Debian systems +# against OpenSSL, we must therefore use a key size of at least 2048 bits. +_KEY_SIZE = 2048 def _name(name, common_name=None): -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (700, 'stable'), (600, 'unstable'), (550, 'experimental'), (550, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages python3-trustme depends on: ii python3 3.7.3-1 ii python3-cryptography 2.6.1-3 ii python3-idna 2.6-1 python3-trustme recommends no packages. python3-trustme suggests no packages.

