On Sun, Mar 20, 2022 at 10:00:15PM +0100, Paul Gevers wrote: > Dear Sebastian, Kurt, > > On 19-03-2022 12:33, Adam D Barratt wrote: > > Upload details > > ============== > > > > Package: openssl > > Version: 1.1.1n-0+deb10u1 > > > > Explanation: new upstream release > > We're seeing a regression in buster in the autopkgtest of gnutls28 with the > new version of openssl on all tested architectures. Can you please have a > look and advise? (bullseye doesn't seem to have the test anymore, hence it > doesn't fail). > > https://ci.debian.net/data/autopkgtest/oldstable/amd64/g/gnutls28/20199677/log.gz > > Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)... > %COMPAT: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)... > *** Fatal error: A TLS fatal alert has been received. > Failure: Failed > *** Fatal error: A TLS fatal alert has been received. > %NO_ETM: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)... > Failure: Failed > *** Fatal error: A TLS fatal alert has been received. > Failure: Failed > FAIL [11]../../tests/suite/testcompat-main-openssl > > Which, according to me, is this check: > https://sources.debian.org/src/gnutls28/3.6.7-4%2Bdeb10u7/tests/suite/testcompat-main-openssl/#L307
That test still seems to exist, but is just moved to a different file: https://github.com/gnutls/gnutls/blob/master/tests/suite/testcompat-openssl-cli-common.sh#L255 My understanding is that gnutls now passes the correct list of signature algorithms to use to OpenSSL's s_client to be able to do that test, and that this is probably fixed by: https://github.com/gnutls/gnutls/commit/23958322865a8a77c2f924f569484e5fd150a24b (and https://github.com/gnutls/gnutls/commit/8259a1dc8503ad760c0887eb95278f9957a00667) I'm trying to remember what was changed and why, but I can't find/remember it. Kurt