Your message dated Mon, 19 Sep 2022 01:26:37 +0000
with message-id <[email protected]>
and subject line Bug#918727: fixed in openssl 3.0.5-3
has caused the Debian Bug report #918727,
regarding openssl.cnf incompatible with libssl1.0.2, libssl1.0.0
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
918727: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918727
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 1.1.1a-1
Severity: important
Control: found -1 1.1.1~~pre3-1
Control: affects -1 steam
The openssl.cnf in the openssl package since 1.1.1~~pre3-1 is incompatible
with libssl < 1.1.0 (I think that's the right cutoff point), either from
a partial upgrade or bundled with third-party software.
It should probably at least have a Breaks on libssl1.0.2, to protect
partial upgrades from stretch. Some release notes for users of
third-party software might also be useful. I realise it probably isn't
feasible to keep openssl.cnf compatible with all past and future versions.
It would perhaps be a good idea for future OpenSSL branches to
use a configuration file that's tied to the major version in their SONAME,
or otherwise parallel-installable? (openssl1.1.0.cnf, etc.)
Minimal reproducer:
* start from Debian testing (buster)
* unpack libssl1.0.2 1.0.2q-2, from unstable, and openssl 1.0.2j-1
from snapshots.debian.org (the newest openssl.deb that still depended
on libssl1.0.2) into ~/102
* then run:
LD_LIBRARY_PATH=$HOME/102/usr/lib/x86_64-linux-gnu $HOME/102/usr/bin/openssl
s_client example.com:443
Expected result: successful connection
Actual result:
Error configuring OpenSSL
140099788864256:error:25066067:DSO support routines:DLFCN_LOAD:could not load
the shared library:dso_dlfcn.c:187:filename(libssl_conf.so): libssl_conf.so:
cannot open shared object file: No such file or directory
140099788864256:error:25070067:DSO support routines:DSO_load:could not load the
shared library:dso_lib.c:233:
140099788864256:error:0E07506E:configuration file
routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:271:module=ssl_conf,
path=ssl_conf
140099788864256:error:0E076071:configuration file routines:MODULE_RUN:unknown
module name:conf_mod.c:212:module=ssl_conf
The same thing can be reproduced with libssl1.0.0 and openssl from jessie.
Workaround: use OPENSSL_CONF=/dev/null when running software that depends
on an older libssl.
For context, libssl_conf.so never actually existed on disk, and
isn't really meant to. In OpenSSL's approach to configuration,
/etc/ssl/openssl.cnf configuration parameters cause loading of
native-code modules, which can either be built-in to libcrypto or
libssl, or real files on disk to be dlopen()ed (like the way Python's
sys module is built-in to the interpreter, but its readline module is
external). libssl_conf.so in the default library search path (!) is one
of several names OpenSSL would try for the ssl_conf module - I think
the reason it appears in the error message is that it's the last one to
be tried.
Since 1.1.0 (commit 59b1696c), there is a ssl_conf module built-in to
libssl. It moved into libcrypto in 1.1.1 (commit d8f031e8).
In Debian, since 1.1.1 (August 2018, if we don't count experimental),
/etc/ssl/openssl.cnf has made use of the ssl_conf mechanism to enforce
TLS1.2 as the minimum protocol, and 112-bit security (level 2) as
the minimum security level. This file is only installed if the openssl
package (containing the openssl command-line tool) is installed. However,
ca-certificates depends on openssl, so in practice basically all users
will have it.
This affects libssl1.0.0 in the Steam Runtime installed by the non-free
steam package, and possibly other third-party software bundles.
(<https://github.com/ValveSoftware/steam-for-linux/issues/6014>)
smcv
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 3.0.5-3
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 18 Sep 2022 21:48:05 +0200
Source: openssl
Architecture: source
Version: 3.0.5-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 805646 918727
Changes:
openssl (3.0.5-3) unstable; urgency=medium
.
* Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt
(Closes: #805646).
* Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727).
Checksums-Sha1:
8b42773cd53a5d2035b847faa1388d4ab3e4071f 2604 openssl_3.0.5-3.dsc
4584922d4ebd83a49e1e2d79b1e48c3885419dec 121188 openssl_3.0.5-3.debian.tar.xz
Checksums-Sha256:
b8ef2c7a33f9ae044ba2232fee62eea393a770ff50b9003e031921e7712c15fa 2604
openssl_3.0.5-3.dsc
cdfa2f7d2d798d616e553454816c579870c2ee0e2185ab017dd1136c040b3923 121188
openssl_3.0.5-3.debian.tar.xz
Files:
f02b4e3661cf35fe45c152a3ff4d9240 2604 utils optional openssl_3.0.5-3.dsc
f5f4d888fee8abebf37d3c13a4b727d6 121188 utils optional
openssl_3.0.5-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAmMnh8oACgkQe5boFiqM
9dEgSw//UCVLtY+YPMTMNQe6nla9YsGZrwEsMAT0ISRzNxYsEGJacCWLNxvq4QBF
53Sl1RSDw7Ssv16fE4f3ZjUNxLT0WqcwQqmMVjU2fxNVd0hCbwORV0kPPuSfr8Gm
NAwiT8fE7Wndc2v+f7XDSimvs4RffRBSCEHDkCpMrCkysIeTkxfESb4L4Kw/H0yi
cDdsCn7veS07YmKP2eFt0PYGCDTXHKOsfUaFFPCijKoy9lscUExgZnPBp1l0u/LB
g+ZeZX8gDmgjohAhjO8TGIQtOcR72HeiBujOlVOE202jQ6duF/4SX5EUygpqP50s
B2z8+e590E7BVG2J6zzv+T/pLdzc3UdkXP9YfoPwKnT5aQfKuYqHFwtNSjmyK95f
uK9vmexvcnBIQ1cdswVcJPxhG58BT/msMCYOkJ9NVG23pHAEj1OAOFAMWpDKndbd
GWiMeht5axSdFz0EvNfr3JkBZhRvtujRbzN1GwOW6BDxZUNIUmbV12fuO7dzNX6k
fErhi5CUWHSdjUOnFE6EQPmerwoUXUT17FMkAy/rvsZjdJuWpXhmhSsRTGFfTEpA
tabTzcRSKjtGhwWmNA92OkvBT3lUWOr7K60HN/pACCLycgy/83VjdFuCBUknIEsR
fwRAxbS3Nbi+Db1J+2SaTN5qszlUUc3fqIzldqPM3CHDYZRLtX4=
=XAA+
-----END PGP SIGNATURE-----
--- End Message ---
