Debian Linux How-Tos

Tutorials, tips, hacks, and guides for users of Debian GNU/Linux operating systems.


The Debian GNU/Linux project has released an updated version of its stable Linux distribution Debian 10 (“buster”). You must upgrade to get corrections for security problem as this version made a few adjustments for the severe issue found in Debian version 10.8. Debian is a Unix-like (Linux distro) operating system and a distribution of Free Software. It is mainly maintained and updated through the work of many users who volunteer their time and effort. The Debian Project was first announced in 1993 by Ian Murdock.
[continue reading…]

The Debian Linux version 7 (codenamed “Wheezy”) support ended on 31st May 2018. It was initial release on May 4, 2013. Each LTS ( initial release on May 4, 2013) support lasts for five years. It means Debian project will not provide any security updates for Debian 7. As Debian Linux 7 Long Term support ends, hence you must upgrade your system to keep it secure. This page list all essentials steps to update your system from Debian 7 to Debian 8.
[continue reading…]

The Debian GNU/Linux project has released an updated version of its stable Linux distribution Debian 9 (“stretch”). This is the final update in the 9.x version. You must upgrade to get corrections for security problems as this version made a few adjustments for the severe issue found in Debian version 9.12. Debian is a Unix-like (Linux distro) operating system and a distribution of Free Software. It is mainly maintained and updated through the work of many users who volunteer their time and effort. The Debian Project was first announced in 1993 by Ian Murdock.
[continue reading…]

From the announcement mailing list:

I’ve just uploaded a version of OpenSSL to unstable that disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version.

This will likely break certain things that for whatever reason still don’t support TLS 1.2. I strongly suggest that if it’s not supported that you add support for it, or get the other side to add support for it.

OpenSSL made a release 5 years ago that supported TLS 1.2. The current support of the server side seems to be around 90%. I hope that by the time Buster releases the support for TLS 1.2 will be high enough that I don’t need to enable them again.

The problem with TLS 1.0

The TLS 1.0 suffers from a lack of authenticated encryption in CBC chaining attacks and padding Oracle attacks:

TLS 1.0 is still widely used as the ‘best’ protocol by a lot of browsers that are not patched to the very latest version. It suffers from CBC Chaining attacks and Padding Oracle attacks. TLSv1.0 should only be used after risk analysis and acceptance. PCI DSS 3.2 prohibits the use of TLS 1.0 after June 30, 2018.

TLS 1.0 also suffers from the BEAST attacks and mitigation is complicated or ugly. Hence everyone avoiding TLS 1.0. However, there is a big issue moving to TLS 1.2.

What does it mean for Debian sid users and mobile/desktop clients?

First of all, support dropped for Debian Unstable i.e. this change will take effect on Debian Linux 10 only. If you are running Debian Unstable on server tons of stuff is going to broken cryptographically. Not to mention legacy hardware and firmware that still uses TLS 1.0. On the client side (i.e. your users), you need to use the latest version of a browser such as Chrome/Chromium and Firefox. The Older version of Android (e.g. Android v5.x and earlier) do not support TLS 1.2. You need to use iOS 5 for TLS 1.2 support. Same goes with SMTP/mail servers, desktop email clients, FTP clients and more. All of them using old outdated crypto You can check your browser’s TLS 1.2 compatibility using at SSLLabs.com:

Fig.01: User Agent Capabilities

How do I find out server TLS protocol support for my browser?

Use the following plugins/addons:

  1. CipherFox – Displays the current SSL/TLS cipher, protocol and certificate chain in the Add-on bar and Site ID dialog.
  2. SSleuth – How strong is your HTTPS connection? SSleuth ranks an established SSL/TLS connection and gives a brief summary of the cipher suite, certificate and other SSL/TLS parameters.
  3. You can use the Google Chrome developer tools to get this info too.

Fig.02: CipherFox in action

Fig.03 SSleuth on action

Poll: Are you on a strict diet of TLS 1.2 only for your server?

Overall this makes me concerned especially in SMTP servers and client support departments. I suggest Debian maintainer give an option to keep TLS 1.0/1.1 as I deal with many legacy clients. Correct me if my concerns are not valid below in the comments section.

Debian GNU/Linux version 9.0 stretch has been released ( jump to download ) after many months of constant development and available for download in various media format. Debian 9.0 is a free operating system includes various new features such as support for mips64el architecture, GNOME 3.22, KDE Plasma 5.8, LXDE, LXQt 0.11, MATE 1.16, Xfce 4.12, Linux kernel 4.9 and more. Debian 9 is dedicated to the project’s founder Ian Murdock, who passed away on 28 December 2015.

[continue reading…]

Oops! I did it again. I thought I was logged into my home server. Turns out I rebooted the db server. Another my not so favorite is typing “shutdown -h 0” into the wrong terminal. I know a few people who have admitted to doing that here.

My anger that can’t be contained

Is there any end to the madness? Do I need to suffer from accidentally random reboots and shutdowns? After all, it is human nature to make mistakes, but one should not keep on making the same mistakes again and again.
[continue reading…]