[Pkg-net-snmp-devel] Bug#972985: Bug#972985: snmp: Blumenthal AES encryption should be enabled by default

Craig Small csmall at debian.org
Tue Oct 27 07:45:27 GMT 2020 

Hi Owen,
  Thanks for the report, it is now enabled for the next release of Debian
net-snmp

https://salsa.debian.org/debian/net-snmp/-/commit/223b00693e5b68165b060e3f7342c4cc2574ba08


 - Craig


On Tue, 27 Oct 2020 at 14:31, Craig Small <csmall at debian.org> wrote:

> Hi Owen,
>
> OK, I think I know what happened, I was checking a different branch. No
> idea why the build system says it is building with them when it's not.
> Your patch is fine, I'll add that in shortly.
>
>  - Craig
>
>
> On Tue, 27 Oct 2020 at 10:18, Craig Small <csmall at debian.org> wrote:
>
>> On Tue, 27 Oct 2020 at 07:42, Owen Evans <oevans at sciencelogic.com> wrote:
>>
>>> Package: snmp
>>> Version: 5.9+dfsg-3-silo
>>>
>> This isn't a valid Debian version.
>>
>> Blumenthal AES, in spite of being a 'draft' part of the SNMP Standard,
>>> is becoming widely implemented by many vendors. It is the main way to
>>> have strong encryption in connection with SNMPv3. Debian should include
>>> the --enable-blumenthal-aes option added around line 53 of debian/rules
>>> so that it is used when invoking the ./configure script from the
>>> upstream source package.
>>>
>> Are you sure the Debian packages don't already have this enabled?
>>
>> Also, that flag doesn't exist in 5.9 of net-snmp
>>  ./configure --enable-blumenthal-aes
>> configure: WARNING: unrecognized options: --enable-blumenthal-aes
>>
>> The draft standard seems to be all about enabling AES, or as the draft
>> states:
>>    1)Provide a set of new privacy protocols for USM based on the
>>      Advanced Encryption Standard.
>>
>> Output of the build system shows AES is actually there:
>>
>>   Crypto support from:        crypto
>>   Authentication support:     MD5 SHA1 SHA224 SHA256 SHA384 SHA512
>>   Encryption support:         DES AES AES128 AES192 AES192C AES256 AES256C
>>
>> So I'm a bit confused about what is not enabled and why your configure
>> option works.
>> The --with-openssl and having openssl 0.9.7 or later will do it.
>>
>>  - Craig
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-net-snmp-devel/attachments/20201027/948ba5b6/attachment.html>

More information about the Pkg-net-snmp-devel mailing list