Looks like a cipher suite without DHE was selected previously.
Could be a side-effect of dc1085734f34 ("testing: Remove unnecessary
FreeRADIUS dh_file option as recommended in the log").
Errors in load-testconfig are hidden due to not checking scp
return code and mute all errors. Add -e to trap script on
any errors in this script.
References strongswan/strongswan#2310
Signed-off-by: Maxim Uvarov <muvarov@gmail.com>
OpenSSH defaults have changed and scp stopped to work with newer versions.
There are 2 options to fix it, either use -O (legacy scp protocol)
with scp, or enable the sftp subsystem in the SSH server config.
This fix uses the second variant.
Closesstrongswan/strongswan#2310
Signed-off-by: Maxim Uvarov <muvarov@gmail.com>
The only exception is the ikev2/ocsp-no-signer-cert scenario as the
pki command won't sign an OCSP response with a certificate that isn't
the CA certificate or marked as an OCSP signer.
The all-zero Ed25519 public key is rejected by botan_pubkey_check_key()
when the key is loaded.
Note that Botan 3 requires GCC 11 or CLANG 14, i.e. can't easily be built
on Debian bullseye or Ubuntu 20.04.
The thread-local storage function gets flagged via various botan FFI
functions when using Botan 3, whitelist that instead of all of them.
The services running on alice seem to require a bit more memory with
Debian bookworm, so increase the memory allocation. But at the same
time reduce winnetou's allocation by the same amount as it really doesn't
require that much memory.
The unit change makes it easier to read.
Because do-tests runs the restore-defaults script, fstab would get reset
to the default version and the mount point wouldn't be available anymore
after stopping and restarting the guests (unless the guest images were
rebuilt in between).
By default, rsyslog is not installed anymore to avoid storing everything
twice (since journald is the default). If this becomes an issue, we
could delete /var/log/journal to only log via rsyslog.
System-wide installation via pip isn't easily possible anymore on Debian
bookworm, so just use the Debian package for this (is available in old
releases as well).
OOM-killer is now already triggered with `import daemon`, so set the
limit before that. Also some PEP8 fixes (including an exclusion for
the above fix as that causes imports to not be at the beginning of the
file).
Without this, Git refuses to operate on the build dirs that are mounted
with weird ownership. When running as root in the chroot, Git checks
SUDO_UID, which won't match.
This is necessary because TKM can't read PKCS#8 files and in some
scenarios we don't have the pkcs8 plugin loaded that would be required
to read/decrypt the non-traditional files.
The wrapper called the command twice for any unit but "strongswan" and
it didn't return the correct exit code. This was noticed when an
if-updown script tried to check if systemd-resolved is active and always
succeeded, which caused failing attempts to configure it.
But now that the return code is correct, trying to enable bind9 won't
fail silently anymore if the unit doesn't exist (similar on older systems
for named), so this is adapted.
With Debian bookworm, the PQC KE sntrup761x25519-sha512 is negotiated, by
default. This increases the overhead significantly, in particular, the
size of the KE message, which wouldn't get through IPsec tunnels without
MSS clamping.
