Hello Salvatore Bonaccorso,
just tried to find some information without deeper knowledge
of spice or openssl.
In the end I think the update of openssl from 1.1.0h-4 to
1.1.1-4 makes the difference.
Since some 1.1.1 version /etc/ssl/openssl.cnf seems to contain:
CipherString = DEFAULT@SECLEVEL=2
This level is responsible to not accept the 80 bits used in
the certificate in this test, while we need at least 112 bits.
Therefore I assume upstream should replace this certificate.
"Generating self-signed certificates" ([1],[2]) may give some
pointers how these files were generated.
[1] https://www.spice-space.org/spice-user-manual.html
[2]
https://cgit.freedesktop.org/spice/spice/commit/server/tests/pki?id=7b5e294a363e1500ab1a5b143da1602c9fed0547
More information in following links:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907015
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907518
https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
Kind regards,
Bernhard
apt update
apt dist-ugprade
apt build-dep spice
apt install devscripts gdb
mkdir spice/orig -p
cd spice/orig
apt source spice
cd ../..
mkdir libssl1.1/orig -p
cd libssl1.1/orig
apt source libssl1.1
cd ../..
mkdir libssl1.1-buster/orig -p
cd libssl1.1-buster/orig
dget http://http.debian.net/debian/pool/main/o/openssl/openssl_1.1.0h-4.dsc
cd ../..
cd spice
cp -a orig try1
cd try1/spice-0.14.0/
dpkg-buildpackage
-> Builds in buster
-> Switch to unstable
apt update
apt dist-upgrade
Die folgenden Pakete werden aktualisiert (Upgrade):
autopoint ca-certificates console-setup console-setup-linux cpp debhelper
dirmngr dmidecode dpkg dpkg-dev g++ gcc gettext gettext-base gnupg gnupg-l10n
gnupg-utils gpg gpg-agent gpg-wks-client
gpg-wks-server gpgconf gpgsm gpgv gzip ifupdown keyboard-configuration
libdpkg-perl libegl-mesa0 libegl1-mesa-dev libgbm1 libgl1-mesa-dev
libgl1-mesa-dri libglapi-mesa libgles2-mesa-dev libglx-mesa0
libgnutls-dane0 libgnutls30 libgpgme11 libio-socket-ssl-perl libltdl7
libnet-dns-sec-perl libnet-ssleay-perl libnghttp2-14 libpython3.6-minimal
libpython3.6-stdlib libsoup2.4-1 libssl-dev libssl1.1
libtool linux-image-4.18.0-1-amd64 linux-image-amd64 linux-libc-dev
mesa-common-dev openssl publicsuffix python3-gpg python3.6 python3.6-minimal
wget
apt autoremove
reboot
apt install libglib2.0-0-dbgsym
cd spice
cp -a orig try2
cd try2/spice-0.14.0/
dpkg-buildpackage
PASS: test-stat-file
../../test-driver: Zeile 107: 14389 Trace/Breakpoint ausgelöst "$@" >
$log_file 2>&1
FAIL: test-leaks
PASS: test-vdagent
PASS: test-fail-on-null-core-interface
PASS: test-empty-success
PASS: test-channel
===============================================
spice 0.14.0: server/tests/test-suite.log
===============================================
# TOTAL: 13
# PASS: 12
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
.. contents:: :depth: 2
FAIL: test-leaks
================
/server/server leaks:
(./test-leaks:14389): Spice-WARNING **: 10:38:37.328:
reds.c:2860:reds_init_ssl: Could not load certificates from
/home/benutzer/spice/try2/spice-0.14.0/server/tests/pki/server-cert.pem
FAIL test-leaks (exit status: 133)
============================================================================
Testsuite summary for spice 0.14.0
============================================================================
# TOTAL: 13
# PASS: 12
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
============================================================================
See server/tests/test-suite.log
Please report to [email protected]
============================================================================
make[8]: *** [Makefile:1301: test-suite.log] Fehler 1
cd server/tests
gdb -q --args ./test-leaks
set height 0
set width 0
set pagination off
directory /home/benutzer/spice/try2/spice-0.14.0/server
directory /home/benutzer/libssl1.1/orig/openssl-1.1.1/ssl
run
benutzer@debian:~/spice/try2/spice-0.14.0/server/tests$ gdb -q --args
./test-leaks
Reading symbols from ./test-leaks...done.
(gdb) set height 0
(gdb) set width 0
(gdb) set pagination off
(gdb) run
Starting program:
/home/benutzer/spice/try2/spice-0.14.0/server/tests/test-leaks
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
/server/server leaks:
(/home/benutzer/spice/try2/spice-0.14.0/server/tests/test-leaks:14700):
Spice-WARNING **: 10:45:48.291: reds.c:2860:reds_init_ssl: Could not load
certificates from
/home/benutzer/spice/try2/spice-0.14.0/server/tests/pki/server-cert.pem
Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff6add9f5 in _g_log_abort () at ../../../../glib/gmessages.c:554
554 ../../../../glib/gmessages.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0 0x00007ffff6add9f5 in _g_log_abort (breakpoint=1) at
../../../../glib/gmessages.c:554
#1 0x00007ffff6aded0d in g_logv (log_domain=0x55555562a029 "Spice",
log_level=G_LOG_LEVEL_WARNING, format=<optimized out>,
args=args@entry=0x7fffffffe050) at ../../../../glib/gmessages.c:1371
#2 0x00007ffff6adeedf in g_log (log_domain=log_domain@entry=0x55555562a029
"Spice", log_level=log_level@entry=G_LOG_LEVEL_WARNING,
format=format@entry=0x555555639eb5 "%s") at ../../../../glib/gmessages.c:1413
#3 0x0000555555566b22 in spice_logv (log_domain=0x55555562a029 "Spice",
args=0x7fffffffe130, format=0x55555562ca80 "Could not load certificates from
%s", function=0x55555562d2f8 <__FUNCTION__.50618> "reds_init_ssl",
strloc=0x55555562ba39 "reds.c:2860", log_level=G_LOG_LEVEL_WARNING) at log.c:178
#4 0x0000555555566b22 in spice_log
(log_level=log_level@entry=G_LOG_LEVEL_WARNING,
strloc=strloc@entry=0x55555562ba39 "reds.c:2860",
function=function@entry=0x55555562d2f8 <__FUNCTION__.50618> "reds_init_ssl",
format=format@entry=0x55555562ca80 "Could not load certificates from %s") at
log.c:196
#5 0x000055555556ed87 in reds_init_ssl (reds=0x555555696f70) at reds.c:2860
#6 0x000055555556ed87 in do_spice_init (core_interface=<optimized out>,
reds=0x555555696f70) at reds.c:3457
#7 0x000055555556ed87 in spice_server_init (reds=0x555555696f70,
core=<optimized out>) at reds.c:3694
#8 0x0000555555564d16 in server_leaks () at test-leaks.c:60
#9 0x00007ffff6afee7a in test_case_run (tc=0x555555695e00) at
../../../../glib/gtestutils.c:2318
#10 0x00007ffff6afee7a in g_test_run_suite_internal
(suite=suite@entry=0x555555694e40, path=path@entry=0x0) at
../../../../glib/gtestutils.c:2403
#11 0x00007ffff6afed34 in g_test_run_suite_internal
(suite=suite@entry=0x555555694e20, path=path@entry=0x0) at
../../../../glib/gtestutils.c:2415
#12 0x00007ffff6aff132 in g_test_run_suite (suite=0x555555694e20) at
../../../../glib/gtestutils.c:2490
#13 0x00007ffff6aff151 in g_test_run () at ../../../../glib/gtestutils.c:1755
#14 0x000055555555fb08 in main (argc=<optimized out>, argv=<optimized out>) at
test-leaks.c:153
(gdb) list reds.c:2824,2908
2824 static int reds_init_ssl(RedsState *reds)
2825 {
2826 static GOnce openssl_once = G_ONCE_INIT;
2827 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
2828 const SSL_METHOD *ssl_method;
2829 #else
2830 SSL_METHOD *ssl_method;
2831 #endif
2832 int return_code;
2833 /* When some other SSL/TLS version becomes obsolete, add it to this
2834 * variable. */
2835 long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
2836
2837 /* Global system initialization*/
2838 g_once(&openssl_once, openssl_global_init, NULL);
2839
2840 /* Create our context*/
2841 /* SSLv23_method() handles TLSv1.x in addition to SSLv2/v3 */
2842 ssl_method = SSLv23_method();
2843 reds->ctx = SSL_CTX_new(ssl_method);
2844 if (!reds->ctx) {
2845 spice_warning("Could not allocate new SSL context");
2846 return -1;
2847 }
2848
2849 /* Limit connection to TLSv1 only */
2850 #ifdef SSL_OP_NO_COMPRESSION
2851 ssl_options |= SSL_OP_NO_COMPRESSION;
2852 #endif
2853 SSL_CTX_set_options(reds->ctx, ssl_options);
2854
2855 /* Load our keys and certificates*/
2856 return_code = SSL_CTX_use_certificate_chain_file(reds->ctx,
reds->config->ssl_parameters.certs_file);
2857 if (return_code == 1) {
2858 spice_debug("Loaded certificates from %s",
reds->config->ssl_parameters.certs_file);
2859 } else {
2860 spice_warning("Could not load certificates from %s",
reds->config->ssl_parameters.certs_file);
2861 return -1;
2862 }
2863
2864 SSL_CTX_set_default_passwd_cb(reds->ctx, ssl_password_cb);
2865 SSL_CTX_set_default_passwd_cb_userdata(reds->ctx, reds);
2866
2867 return_code = SSL_CTX_use_PrivateKey_file(reds->ctx,
reds->config->ssl_parameters.private_key_file,
2868 SSL_FILETYPE_PEM);
2869 if (return_code == 1) {
2870 spice_debug("Using private key from %s",
reds->config->ssl_parameters.private_key_file);
2871 } else {
2872 spice_warning("Could not use private key file");
2873 return -1;
2874 }
2875
2876 /* Load the CAs we trust*/
2877 return_code = SSL_CTX_load_verify_locations(reds->ctx,
reds->config->ssl_parameters.ca_certificate_file, 0);
2878 if (return_code == 1) {
2879 spice_debug("Loaded CA certificates from %s",
reds->config->ssl_parameters.ca_certificate_file);
2880 } else {
2881 spice_warning("Could not use CA file %s",
reds->config->ssl_parameters.ca_certificate_file);
2882 return -1;
2883 }
2884
2885 #if (OPENSSL_VERSION_NUMBER < 0x00905100L)
2886 SSL_CTX_set_verify_depth(reds->ctx, 1);
2887 #endif
2888
2889 if (strlen(reds->config->ssl_parameters.dh_key_file) > 0) {
2890 if (load_dh_params(reds->ctx,
reds->config->ssl_parameters.dh_key_file) < 0) {
2891 return -1;
2892 }
2893 }
2894
2895 SSL_CTX_set_session_id_context(reds->ctx, (const unsigned char
*)"SPICE", 5);
2896 if (strlen(reds->config->ssl_parameters.ciphersuite) > 0) {
2897 if (!SSL_CTX_set_cipher_list(reds->ctx,
reds->config->ssl_parameters.ciphersuite)) {
2898 return -1;
2899 }
2900 }
2901
2902 #ifndef SSL_OP_NO_COMPRESSION
2903 STACK *cmp_stack = SSL_COMP_get_compression_methods();
2904 sk_zero(cmp_stack);
2905 #endif
2906
2907 return 0;
2908 }
(gdb) list reds.c:3429,3490
3429 static int do_spice_init(RedsState *reds, SpiceCoreInterface
*core_interface)
3430 {
3431 spice_debug("starting %s", VERSION);
3432
3433 if (core_interface->base.major_version !=
SPICE_INTERFACE_CORE_MAJOR) {
3434 spice_warning("bad core interface version");
3435 goto err;
3436 }
3437 reds->core = core_interface_adapter;
3438 reds->core.public_interface = core_interface;
3439 reds->agent_dev = red_char_device_vdi_port_new(reds);
3440 reds_update_agent_properties(reds);
3441 reds->clients = NULL;
3442 reds->main_dispatcher = main_dispatcher_new(reds, &reds->core);
3443 reds->channels = NULL;
3444 reds->mig_target_clients = NULL;
3445 reds->char_devices = NULL;
3446 reds->mig_wait_disconnect_clients = NULL;
3447 reds->vm_running = TRUE; /* for backward compatibility */
3448
3449 if (!(reds->mig_timer = reds->core.timer_add(&reds->core,
migrate_timeout, reds))) {
3450 spice_error("migration timer create failed");
3451 }
3452
3453 if (reds_init_net(reds) < 0) {
3454 goto err;
3455 }
3456 if (reds->secure_listen_socket != -1) {
3457 if (reds_init_ssl(reds) < 0) {
3458 goto err;
3459 }
3460 }
3461 #if HAVE_SASL
3462 int saslerr;
3463 if ((saslerr = sasl_server_init(NULL, reds->config->sasl_appname ?
3464 reds->config->sasl_appname :
"spice")) != SASL_OK) {
3465 spice_error("Failed to initialize SASL auth %s",
3466 sasl_errstring(saslerr, NULL, NULL));
3467 goto err;
3468 }
3469 #endif
3470
3471 reds->main_channel = main_channel_new(reds);
3472 reds->inputs_channel = inputs_channel_new(reds);
3473
3474 reds->mouse_mode = SPICE_MOUSE_MODE_SERVER;
3475
3476 spice_buffer_free(&reds->client_monitors_config);
3477
3478 reds->allow_multiple_clients = getenv(SPICE_DEBUG_ALLOW_MC_ENV) !=
NULL;
3479 if (reds->allow_multiple_clients) {
3480 spice_warning("spice: allowing multiple client connections");
3481 }
3482 pthread_mutex_lock(&global_reds_lock);
3483 servers = g_list_prepend(servers, reds);
3484 pthread_mutex_unlock(&global_reds_lock);
3485 return 0;
3486
3487 err:
3488 return -1;
3489 }
3490
(gdb) run
Starting program:
/home/benutzer/spice/try2/spice-0.14.0/server/tests/test-leaks
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
/server/server leaks:
Breakpoint 7, ssl_security_default_callback (s=0x0, ctx=0x5555556c2df0,
op=393232, bits=80, nid=0, other=0x5555556c44f0, ex=0x0) at
../ssl/ssl_cert.c:915
915 if (ctx)
(gdb) next
916 level = SSL_CTX_get_security_level(ctx);
(gdb)
920 if (level <= 0) {
(gdb)
929 if (level > 5)
(gdb)
931 minbits = minbits_table[level - 1];
(gdb)
932 switch (op) {
(gdb) print minbits
$8 = 112
(gdb) next
986 if (bits < minbits)
(gdb) print bits
$9 = 80
(gdb) print level
$10 = 2
(gdb) print/x op
$12 = 0x60010
(gdb) bt
#0 0x00007ffff7357f43 in ssl_security_default_callback (s=0x0, ctx=<optimized
out>, op=393232, bits=80, nid=0, other=0x5555556c44f0, ex=0x0) at
../ssl/ssl_cert.c:986
#1 0x00007ffff7359bc6 in ssl_ctx_security (ctx=ctx@entry=0x5555556c2df0,
op=<optimized out>, bits=<optimized out>, nid=<optimized out>, other=<optimized
out>) at ../ssl/ssl_cert.c:999
#2 0x00007ffff738a0ba in ssl_security_cert_key (s=s@entry=0x0,
ctx=ctx@entry=0x5555556c2df0, x=x@entry=0x5555556c44f0, op=op@entry=393232) at
../ssl/t1_lib.c:2400
#3 0x00007ffff738dc75 in ssl_security_cert (s=s@entry=0x0,
ctx=ctx@entry=0x5555556c2df0, x=x@entry=0x5555556c44f0, vfy=vfy@entry=0,
is_ee=is_ee@entry=1) at ../ssl/t1_lib.c:2426
#4 0x00007ffff73673e6 in SSL_CTX_use_certificate (ctx=0x5555556c2df0,
x=0x5555556c44f0) at ../ssl/ssl_rsa.c:308
#5 0x00007ffff7367509 in use_certificate_chain_file (ctx=0x5555556c2df0,
ssl=ssl@entry=0x0, file=<optimized out>) at ../ssl/ssl_rsa.c:627
#6 0x00007ffff7367e0a in SSL_CTX_use_certificate_chain_file (ctx=<optimized
out>, file=<optimized out>) at ../ssl/ssl_rsa.c:688
#7 0x000055555556e9e6 in reds_init_ssl (reds=0x555555696f70) at reds.c:2856
#8 0x000055555556e9e6 in do_spice_init (core_interface=<optimized out>,
reds=0x555555696f70) at reds.c:3457
#9 0x000055555556e9e6 in spice_server_init (reds=0x555555696f70,
core=<optimized out>) at reds.c:3694
#10 0x0000555555564d16 in server_leaks () at test-leaks.c:60
#11 0x00007ffff6afee7a in test_case_run (tc=0x555555695e00) at
../../../../glib/gtestutils.c:2318
#12 0x00007ffff6afee7a in g_test_run_suite_internal
(suite=suite@entry=0x555555694e40, path=path@entry=0x0) at
../../../../glib/gtestutils.c:2403
#13 0x00007ffff6afed34 in g_test_run_suite_internal
(suite=suite@entry=0x555555694e20, path=path@entry=0x0) at
../../../../glib/gtestutils.c:2415
#14 0x00007ffff6aff132 in g_test_run_suite (suite=0x555555694e20) at
../../../../glib/gtestutils.c:2490
#15 0x00007ffff6aff151 in g_test_run () at ../../../../glib/gtestutils.c:1755
#16 0x000055555555fb08 in main (argc=<optimized out>, argv=<optimized out>) at
test-leaks.c:153
(gdb) list ssl_cert.c:909,990
909 static int ssl_security_default_callback(const SSL *s, const SSL_CTX
*ctx,
910 int op, int bits, int nid,
void *other,
911 void *ex)
912 {
913 int level, minbits;
914 static const int minbits_table[5] = { 80, 112, 128, 192, 256 };
915 if (ctx)
916 level = SSL_CTX_get_security_level(ctx);
917 else
918 level = SSL_get_security_level(s);
919
920 if (level <= 0) {
921 /*
922 * No EDH keys weaker than 1024-bits even at level 0, otherwise,
923 * anything goes.
924 */
925 if (op == SSL_SECOP_TMP_DH && bits < 80)
926 return 0;
927 return 1;
928 }
929 if (level > 5)
930 level = 5;
931 minbits = minbits_table[level - 1];
932 switch (op) {
933 case SSL_SECOP_CIPHER_SUPPORTED:
934 case SSL_SECOP_CIPHER_SHARED:
935 case SSL_SECOP_CIPHER_CHECK:
936 {
937 const SSL_CIPHER *c = other;
938 /* No ciphers below security level */
939 if (bits < minbits)
940 return 0;
941 /* No unauthenticated ciphersuites */
942 if (c->algorithm_auth & SSL_aNULL)
943 return 0;
944 /* No MD5 mac ciphersuites */
945 if (c->algorithm_mac & SSL_MD5)
946 return 0;
947 /* SHA1 HMAC is 160 bits of security */
948 if (minbits > 160 && c->algorithm_mac & SSL_SHA1)
949 return 0;
950 /* Level 2: no RC4 */
951 if (level >= 2 && c->algorithm_enc == SSL_RC4)
952 return 0;
953 /* Level 3: forward secure ciphersuites only */
954 if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
955 !(c->algorithm_mkey & (SSL_kEDH |
SSL_kEECDH))))
956 return 0;
957 break;
958 }
959 case SSL_SECOP_VERSION:
960 if (!SSL_IS_DTLS(s)) {
961 /* SSLv3 not allowed at level 2 */
962 if (nid <= SSL3_VERSION && level >= 2)
963 return 0;
964 /* TLS v1.1 and above only for level 3 */
965 if (nid <= TLS1_VERSION && level >= 3)
966 return 0;
967 /* TLS v1.2 only for level 4 and above */
968 if (nid <= TLS1_1_VERSION && level >= 4)
969 return 0;
970 } else {
971 /* DTLS v1.2 only for level 4 and above */
972 if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level >= 4)
973 return 0;
974 }
975 break;
976
977 case SSL_SECOP_COMPRESSION:
978 if (level >= 2)
979 return 0;
980 break;
981 case SSL_SECOP_TICKET:
982 if (level >= 3)
983 return 0;
984 break;
985 default:
986 if (bits < minbits)
987 return 0;
988 }
989 return 1;
990 }
(gdb)
#3 0x00007ffff738dc75 in ssl_security_cert (s=s@entry=0x0,
ctx=ctx@entry=0x5555556c2df0, x=x@entry=0x5555556c44f0, vfy=vfy@entry=0,
is_ee=is_ee@entry=1) at ../ssl/t1_lib.c:2426
2426 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
(gdb) list ssl.h:2255
2255 # define SSL_SECOP_OTHER_CERT (6 << 16)
(gdb) list ssl.h:2292
2292 # define SSL_SECOP_EE_KEY (16 | SSL_SECOP_OTHER_CERT)
benutzer@debian:~$ openssl x509 -in
/home/benutzer/spice/try2/spice-0.14.0/server/tests/pki/server-cert.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = XX, L = Default City, O = Default Company Ltd
Validity
Not Before: Mar 23 10:40:45 2017 GMT
Not After : Mar 16 10:40:45 2047 GMT
Subject: C = XX, L = Default City, O = Default Company Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:c5:c3:3c:c6:4b:b1:ef:02:b8:4c:09:28:c9:2f:
11:d9:81:c0:af:b7:dd:3d:23:38:c9:14:24:fb:7c:
2e:c7:8b:0a:35:e6:60:e8:ab:da:05:ab:b2:73:f9:
7e:0c:69:c3:1f:d7:c5:be:b5:8a:fc:21:02:d0:b6:
98:57:32:df:15:e9:44:d9:03:1e:4d:c5:d9:7a:46:
c0:3d:0c:b2:3f:6d:47:d0:d8:89:dc:91:cf:fa:cd:
d4:14:6d:87:96:4b:9b:44:ef:8e:6c:16:70:16:fb:
a9:62:02:21:54:cb:b2:9e:b3:5e:e3:3f:7a:b0:37:
13:4d:2c:ed:50:0d:06:56:8f
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
d8:e9:b4:d5:06:af:d8:e4:1c:66:32:0f:52:69:6a:4b:36:3d:
eb:1c:93:f2:0c:c2:20:ec:90:8a:40:ae:27:74:1d:7a:6e:10:
bf:57:3d:47:10:c5:c4:d4:ab:9c:d2:0d:c7:b4:6b:b6:4a:a9:
ed:d3:3b:b2:df:a0:52:a7:4a:73:68:ef:6f:7d:35:4d:b4:be:
4a:50:da:2b:53:6b:7b:9b:c1:f1:b3:e0:d5:c2:71:53:05:97:
d5:f0:f2:da:28:08:a2:4d:0a:98:cd:4f:ed:2f:0c:8a:c6:bf:
aa:6a:1b:45:be:2b:ce:f9:f7:6e:54:e1:7a:ca:85:7b:3f:71:
46:19
-----BEGIN CERTIFICATE-----
MIIB8zCCAVwCAQEwDQYJKoZIhvcNAQELBQAwQjELMAkGA1UEBhMCWFgxFTATBgNV
BAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDAe
Fw0xNzAzMjMxMDQwNDVaFw00NzAzMTYxMDQwNDVaMEIxCzAJBgNVBAYTAlhYMRUw
EwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBM
dGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXDPMZLse8CuEwJKMkvEdmB
wK+33T0jOMkUJPt8LseLCjXmYOir2gWrsnP5fgxpwx/Xxb61ivwhAtC2mFcy3xXp
RNkDHk3F2XpGwD0Msj9tR9DYidyRz/rN1BRth5ZLm0TvjmwWcBb7qWICIVTLsp6z
XuM/erA3E00s7VANBlaPAgMBAAEwDQYJKoZIhvcNAQELBQADgYEA2Om01Qav2OQc
ZjIPUmlqSzY96xyT8gzCIOyQikCuJ3Qdem4Qv1c9RxDFxNSrnNINx7Rrtkqp7dM7
st+gUqdKc2jvb301TbS+SlDaK1Nre5vB8bPg1cJxUwWX1fDy2igIok0KmM1P7S8M
isa/qmobRb4rzvn3blThesqFez9xRhk=
-----END CERTIFICATE-----
https://cgit.freedesktop.org/spice/spice/commit/server/tests/pki/server-cert.pem?id=7b5e294a363e1500ab1a5b143da1602c9fed0547
Where does this 80 come from ?
(gdb) bt
#0 0x00007ffff71158b0 in BN_security_bits (L=1024, N=-1) at
../crypto/bn/bn_lib.c:834
#1 0x00007ffff738a080 in ssl_security_cert_key (s=s@entry=0x0,
ctx=ctx@entry=0x5555556c2df0, x=x@entry=0x5555556c44f0, op=op@entry=393232) at
../ssl/t1_lib.c:2395
#2 0x00007ffff738dc75 in ssl_security_cert (s=s@entry=0x0,
ctx=ctx@entry=0x5555556c2df0, x=x@entry=0x5555556c44f0, vfy=vfy@entry=0,
is_ee=is_ee@entry=1) at ../ssl/t1_lib.c:2426
#3 0x00007ffff73673e6 in SSL_CTX_use_certificate (ctx=0x5555556c2df0,
x=0x5555556c44f0) at ../ssl/ssl_rsa.c:308
#4 0x00007ffff7367509 in use_certificate_chain_file (ctx=0x5555556c2df0,
ssl=ssl@entry=0x0, file=<optimized out>) at ../ssl/ssl_rsa.c:627
#5 0x00007ffff7367e0a in SSL_CTX_use_certificate_chain_file (ctx=<optimized
out>, file=<optimized out>) at ../ssl/ssl_rsa.c:688
#6 0x000055555556e9e6 in reds_init_ssl (reds=0x555555696f70) at reds.c:2856
#7 0x000055555556e9e6 in do_spice_init (core_interface=<optimized out>,
reds=0x555555696f70) at reds.c:3457
#8 0x000055555556e9e6 in spice_server_init (reds=0x555555696f70,
core=<optimized out>) at reds.c:3694
#9 0x0000555555564d16 in server_leaks () at test-leaks.c:60
#10 0x00007ffff6afee7a in test_case_run (tc=0x555555695e00) at
../../../../glib/gtestutils.c:2318
#11 0x00007ffff6afee7a in g_test_run_suite_internal
(suite=suite@entry=0x555555694e40, path=path@entry=0x0) at
../../../../glib/gtestutils.c:2403
#12 0x00007ffff6afed34 in g_test_run_suite_internal
(suite=suite@entry=0x555555694e20, path=path@entry=0x0) at
../../../../glib/gtestutils.c:2415
#13 0x00007ffff6aff132 in g_test_run_suite (suite=0x555555694e20) at
../../../../glib/gtestutils.c:2490
#14 0x00007ffff6aff151 in g_test_run () at ../../../../glib/gtestutils.c:1755
#15 0x000055555555fb08 in main (argc=<optimized out>, argv=<optimized out>) at
test-leaks.c:153
(gdb) list bn_lib.c:831,900
831 int BN_security_bits(int L, int N)
832 {
833 int secbits, bits;
834 if (L >= 15360)
835 secbits = 256;
836 else if (L >= 7680)
837 secbits = 192;
838 else if (L >= 3072)
839 secbits = 128;
840 else if (L >= 2048)
841 secbits = 112;
842 else if (L >= 1024)
843 secbits = 80;
844 else
845 return 0;
846 if (N == -1)
847 return secbits;
848 bits = N / 2;
849 if (bits < 80)
850 return 0;
851 return bits >= secbits ? secbits : bits;
852 }
(gdb) print L
$25 = 1024
(gdb) print N
$26 = -1
(gdb) print secbits
$27 = 80
Back to buster openssh:
wget
http://ftp.de.debian.org/debian/pool/main/o/openssl/libssl-dev_1.1.0h-4_amd64.deb
wget
http://ftp.de.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.0h-4_amd64.deb
wget
http://ftp.de.debian.org/debian/pool/main/o/openssl/openssl_1.1.0h-4_amd64.deb
wget
http://debug.mirrors.debian.org/debian-debug/pool/main/o/openssl/libssl1.1-dbgsym_1.1.0h-4_amd64.deb
dpkg -i *1.1.0h-4*.deb
cd spice
cp -a orig try3
cd try3/spice-0.14.0/
dpkg-buildpackage
--> Test does not fail
directory /home/benutzer/spice/try3/spice-0.14.0/server
directory /home/benutzer/libssl1.1-buster/orig/openssl-1.1.0h/ssl
(gdb)
1003 level = SSL_CTX_get_security_level(ctx);
(gdb)
1007 if (level <= 0) {
(gdb) print level
$2 = 1
--> 1.1.0h-4 returns level == 1, 1.1.1-1 returns level == 2
1.1.0h-4: ssl/ssl_lib.c:4023
(gdb) list SSL_CTX_get_security_level
4021 int SSL_CTX_get_security_level(const SSL_CTX *ctx)
4022 {
4023 return ctx->cert->sec_level;
4024 }
--> With 1.1.0h-4 sec_level gets initialized with 1
(gdb) bt
#0 0x00007ffff717e24b in SSL_CTX_new (meth=0x7ffff73b2680
<TLS_method_data.21235>) at ../ssl/ssl_lib.c:2568
#1 0x000055555556e9b3 in reds_init_ssl (reds=0x555555696f70) at reds.c:2843
#2 0x000055555556e9b3 in do_spice_init (core_interface=<optimized out>,
reds=0x555555696f70) at reds.c:3457
#3 0x000055555556e9b3 in spice_server_init (reds=0x555555696f70,
core=<optimized out>) at reds.c:3694
#4 0x0000555555564d16 in server_leaks () at test-leaks.c:60
#5 0x00007ffff677ae7a in test_case_run (tc=0x555555695e00) at
../../../../glib/gtestutils.c:2318
#6 0x00007ffff677ae7a in g_test_run_suite_internal
(suite=suite@entry=0x555555694e40, path=path@entry=0x0) at
../../../../glib/gtestutils.c:2403
#7 0x00007ffff677ad34 in g_test_run_suite_internal
(suite=suite@entry=0x555555694e20, path=path@entry=0x0) at
../../../../glib/gtestutils.c:2415
#8 0x00007ffff677b132 in g_test_run_suite (suite=0x555555694e20) at
../../../../glib/gtestutils.c:2490
#9 0x00007ffff677b151 in g_test_run () at ../../../../glib/gtestutils.c:1755
#10 0x000055555555fb08 in main (argc=<optimized out>, argv=<optimized out>) at
test-leaks.c:153
(gdb)
2565 if ((ret->cert = ssl_cert_new()) == NULL)
(gdb)
2568 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash,
ssl_session_cmp);
(gdb) print ret->cert->sec_level
$19 = 1
--> Where do we get the level 2 with 1.1.1-1 ?
apt install -f
apt dist-upgrade
cd spice
cp -a orig try4
cd try4/spice-0.14.0/
dpkg-buildpackage
cd server/tests/
gdb -q --args ./test-leaks
set height 0
set width 0
set pagination off
directory /home/benutzer/spice/try4/spice-0.14.0/server
directory /home/benutzer/libssl1.1/orig/openssl-1.1.1/ssl
b SSL_CTX_new
run
benutzer@debian:~/spice/try4/spice-0.14.0/server/tests$ gdb -q --args
./test-leaks
Reading symbols from ./test-leaks...done.
(gdb) set height 0
(gdb) set width 0
(gdb) set pagination off
(gdb) directory /home/benutzer/spice/try4/spice-0.14.0/server
Source directories searched:
/home/benutzer/spice/try4/spice-0.14.0/server:$cdir:$cwd
(gdb) directory /home/benutzer/libssl1.1/orig/openssl-1.1.1/ssl
Source directories searched:
/home/benutzer/libssl1.1/orig/openssl-1.1.1/ssl:/home/benutzer/spice/try4/spice-0.14.0/server:$cdir:$cwd
(gdb) b SSL_CTX_new
Breakpoint 1 at 0xadc0
(gdb) run
Starting program:
/home/benutzer/spice/try4/spice-0.14.0/server/tests/test-leaks
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
/server/server leaks:
Breakpoint 1, SSL_CTX_new (meth=0x7ffff73b2d40 <TLS_method_data.23193>) at
../ssl/ssl_lib.c:2878
2878 if (meth == NULL) {
(gdb) bt
#0 0x00007ffff7361820 in SSL_CTX_new (meth=0x7ffff73b2d40
<TLS_method_data.23193>) at ../ssl/ssl_lib.c:2878
#1 0x000055555556e9b3 in reds_init_ssl (reds=0x555555696f70) at reds.c:2843
#2 0x000055555556e9b3 in do_spice_init (core_interface=<optimized out>,
reds=0x555555696f70) at reds.c:3457
#3 0x000055555556e9b3 in spice_server_init (reds=0x555555696f70,
core=<optimized out>) at reds.c:3694
#4 0x0000555555564d16 in server_leaks () at test-leaks.c:60
#5 0x00007ffff6afee7a in test_case_run (tc=0x555555695e00) at
../../../../glib/gtestutils.c:2318
#6 0x00007ffff6afee7a in g_test_run_suite_internal
(suite=suite@entry=0x555555694e40, path=path@entry=0x0) at
../../../../glib/gtestutils.c:2403
#7 0x00007ffff6afed34 in g_test_run_suite_internal
(suite=suite@entry=0x555555694e20, path=path@entry=0x0) at
../../../../glib/gtestutils.c:2415
#8 0x00007ffff6aff132 in g_test_run_suite (suite=0x555555694e20) at
../../../../glib/gtestutils.c:2490
#9 0x00007ffff6aff151 in g_test_run () at ../../../../glib/gtestutils.c:1755
#10 0x000055555555fb08 in main (argc=<optimized out>, argv=<optimized out>) at
test-leaks.c:153
(gdb) next
2883 if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
(gdb)
2886 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
(gdb)
2890 ret = OPENSSL_zalloc(sizeof(*ret));
(gdb)
2891 if (ret == NULL)
(gdb)
2894 ret->method = meth;
(gdb)
2897 ret->mode = SSL_MODE_AUTO_RETRY;
(gdb) next
2898 ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
(gdb)
2899 ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
(gdb)
2901 ret->session_timeout = meth->get_timeout();
(gdb)
2902 ret->references = 1;
(gdb)
2903 ret->lock = CRYPTO_THREAD_lock_new();
(gdb)
2904 if (ret->lock == NULL) {
(gdb)
2909 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
(gdb)
2910 ret->verify_mode = SSL_VERIFY_NONE;
(gdb)
2911 if ((ret->cert = ssl_cert_new()) == NULL)
(gdb)
2914 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash,
ssl_session_cmp);
(gdb) print ret->cert->sec_level
$1 = 1
(gdb) print &(ret->cert->sec_level)
$2 = (int *) 0x555555696a00
(gdb) watch *0x555555696a00
Hardware watchpoint 2: *0x555555696a00
(gdb) cont
Continuing.
Hardware watchpoint 2: *0x555555696a00
Old value = 1
New value = 2
ssl_cipher_process_rulestr (rule_str=rule_str@entry=0x5555556bc867
"@SECLEVEL=2", head_p=head_p@entry=0x7fffffffe0c8,
tail_p=tail_p@entry=0x7fffffffe0d0, ca_list=ca_list@entry=0x5555556c3a30,
c=<optimized out>) at ../ssl/ssl_ciph.c:1193
1193 if (ok == 0)
(gdb) bt
#0 0x00007ffff735a9b5 in ssl_cipher_process_rulestr
(rule_str=rule_str@entry=0x5555556bc867 "@SECLEVEL=2",
head_p=head_p@entry=0x7fffffffe0c8, tail_p=tail_p@entry=0x7fffffffe0d0,
ca_list=ca_list@entry=0x5555556c3a30, c=<optimized out>) at
../ssl/ssl_ciph.c:1193
#1 0x00007ffff735b94d in ssl_create_cipher_list (ssl_method=<optimized out>,
tls13_ciphersuites=0x5555556c3210, cipher_list=0x5555556c2df8,
cipher_list_by_id=0x5555556c2e00, rule_str=<optimized out>,
rule_str@entry=0x5555556bc860 "DEFAULT@SECLEVEL=2", c=0x555555696800) at
../ssl/ssl_ciph.c:1579
#2 0x00007ffff73610b2 in SSL_CTX_set_cipher_list (ctx=<optimized out>,
str=str@entry=0x5555556bc860 "DEFAULT@SECLEVEL=2") at ../ssl/ssl_lib.c:2511
#3 0x00007ffff735cf0f in cmd_CipherString (cctx=0x5555556c3970,
value=0x5555556bc860 "DEFAULT@SECLEVEL=2") at ../ssl/ssl_conf.c:262
#4 0x00007ffff735d37f in SSL_CONF_cmd (cctx=cctx@entry=0x5555556c3970,
cmd=<optimized out>, value=0x5555556bc860 "DEFAULT@SECLEVEL=2") at
../ssl/ssl_conf.c:812
#5 0x00007ffff7366072 in ssl_do_config (s=s@entry=0x0,
ctx=ctx@entry=0x5555556c2df0, name=<optimized out>, name@entry=0x0,
system=system@entry=1) at ../ssl/ssl_mcnf.c:69
#6 0x00007ffff73661b1 in ssl_ctx_system_config (ctx=ctx@entry=0x5555556c2df0)
at ../ssl/ssl_mcnf.c:98
#7 0x00007ffff7361ad5 in SSL_CTX_new (meth=0x7ffff73b2d40
<TLS_method_data.23193>) at ../ssl/ssl_lib.c:3050
#8 0x000055555556e9b3 in reds_init_ssl (reds=0x555555696f70) at reds.c:2843
#9 0x000055555556e9b3 in do_spice_init (core_interface=<optimized out>,
reds=0x555555696f70) at reds.c:3457
#10 0x000055555556e9b3 in spice_server_init (reds=0x555555696f70,
core=<optimized out>) at reds.c:3694
#11 0x0000555555564d16 in server_leaks () at test-leaks.c:60
#12 0x00007ffff6afee7a in test_case_run (tc=0x555555695e00) at
../../../../glib/gtestutils.c:2318
#13 0x00007ffff6afee7a in g_test_run_suite_internal
(suite=suite@entry=0x555555694e40, path=path@entry=0x0) at
../../../../glib/gtestutils.c:2403
#14 0x00007ffff6afed34 in g_test_run_suite_internal
(suite=suite@entry=0x555555694e20, path=path@entry=0x0) at
../../../../glib/gtestutils.c:2415
#15 0x00007ffff6aff132 in g_test_run_suite (suite=0x555555694e20) at
../../../../glib/gtestutils.c:2490
#16 0x00007ffff6aff151 in g_test_run () at ../../../../glib/gtestutils.c:1755
#17 0x000055555555fb08 in main (argc=<optimized out>, argv=<optimized out>) at
test-leaks.c:153
(gdb) print rule_str
$7 = 0x5555556bc867 "@SECLEVEL=2"
(gdb) list ssl_ciph.c:955,1200
955 static int ssl_cipher_process_rulestr(const char *rule_str,
956 CIPHER_ORDER **head_p,
957 CIPHER_ORDER **tail_p,
958 const SSL_CIPHER **ca_list, CERT
*c)
959 {
960 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
961 int min_tls;
962 const char *l, *buf;
963 int j, multi, found, rule, retval, ok, buflen;
964 uint32_t cipher_id = 0;
965 char ch;
966
967 retval = 1;
968 l = rule_str;
969 for ( ; ; ) {
970 ch = *l;
971
972 if (ch == '\0')
973 break; /* done */
974 if (ch == '-') {
975 rule = CIPHER_DEL;
976 l++;
977 } else if (ch == '+') {
978 rule = CIPHER_ORD;
979 l++;
980 } else if (ch == '!') {
981 rule = CIPHER_KILL;
982 l++;
983 } else if (ch == '@') {
984 rule = CIPHER_SPECIAL;
985 l++;
986 } else {
987 rule = CIPHER_ADD;
988 }
989
990 if (ITEM_SEP(ch)) {
991 l++;
992 continue;
993 }
994
995 alg_mkey = 0;
996 alg_auth = 0;
997 alg_enc = 0;
998 alg_mac = 0;
999 min_tls = 0;
1000 algo_strength = 0;
1001
1002 for (;;) {
1003 ch = *l;
1004 buf = l;
1005 buflen = 0;
1006 #ifndef CHARSET_EBCDIC
1007 while (((ch >= 'A') && (ch <= 'Z')) ||
1008 ((ch >= '0') && (ch <= '9')) ||
1009 ((ch >= 'a') && (ch <= 'z')) ||
1010 (ch == '-') || (ch == '.') || (ch == '='))
1011 #else
1012 while (isalnum((unsigned char)ch) || (ch == '-') || (ch ==
'.')
1013 || (ch == '='))
1014 #endif
1015 {
1016 ch = *(++l);
1017 buflen++;
1018 }
1019
1020 if (buflen == 0) {
1021 /*
1022 * We hit something we cannot deal with,
1023 * it is no command or separator nor
1024 * alphanumeric, so we call this an error.
1025 */
1026 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
SSL_R_INVALID_COMMAND);
1027 retval = found = 0;
1028 l++;
1029 break;
1030 }
1031
1032 if (rule == CIPHER_SPECIAL) {
1033 found = 0; /* unused -- avoid compiler warning */
1034 break; /* special treatment */
1035 }
1036
1037 /* check for multi-part specification */
1038 if (ch == '+') {
1039 multi = 1;
1040 l++;
1041 } else {
1042 multi = 0;
1043 }
1044
1045 /*
1046 * Now search for the cipher alias in the ca_list. Be
careful
1047 * with the strncmp, because the "buflen" limitation
1048 * will make the rule "ADH:SOME" and the cipher
1049 * "ADH-MY-CIPHER" look like a match for buflen=3.
1050 * So additionally check whether the cipher name found
1051 * has the correct length. We can save a strlen() call:
1052 * just checking for the '\0' at the right place is
1053 * sufficient, we have to strncmp() anyway. (We cannot
1054 * use strcmp(), because buf is not '\0' terminated.)
1055 */
1056 j = found = 0;
1057 cipher_id = 0;
1058 while (ca_list[j]) {
1059 if (strncmp(buf, ca_list[j]->name, buflen) == 0
1060 && (ca_list[j]->name[buflen] == '\0')) {
1061 found = 1;
1062 break;
1063 } else
1064 j++;
1065 }
1066
1067 if (!found)
1068 break; /* ignore this entry */
1069
1070 if (ca_list[j]->algorithm_mkey) {
1071 if (alg_mkey) {
1072 alg_mkey &= ca_list[j]->algorithm_mkey;
1073 if (!alg_mkey) {
1074 found = 0;
1075 break;
1076 }
1077 } else {
1078 alg_mkey = ca_list[j]->algorithm_mkey;
1079 }
1080 }
1081
1082 if (ca_list[j]->algorithm_auth) {
1083 if (alg_auth) {
1084 alg_auth &= ca_list[j]->algorithm_auth;
1085 if (!alg_auth) {
1086 found = 0;
1087 break;
1088 }
1089 } else {
1090 alg_auth = ca_list[j]->algorithm_auth;
1091 }
1092 }
1093
1094 if (ca_list[j]->algorithm_enc) {
1095 if (alg_enc) {
1096 alg_enc &= ca_list[j]->algorithm_enc;
1097 if (!alg_enc) {
1098 found = 0;
1099 break;
1100 }
1101 } else {
1102 alg_enc = ca_list[j]->algorithm_enc;
1103 }
1104 }
1105
1106 if (ca_list[j]->algorithm_mac) {
1107 if (alg_mac) {
1108 alg_mac &= ca_list[j]->algorithm_mac;
1109 if (!alg_mac) {
1110 found = 0;
1111 break;
1112 }
1113 } else {
1114 alg_mac = ca_list[j]->algorithm_mac;
1115 }
1116 }
1117
1118 if (ca_list[j]->algo_strength & SSL_STRONG_MASK) {
1119 if (algo_strength & SSL_STRONG_MASK) {
1120 algo_strength &=
1121 (ca_list[j]->algo_strength & SSL_STRONG_MASK) |
1122 ~SSL_STRONG_MASK;
1123 if (!(algo_strength & SSL_STRONG_MASK)) {
1124 found = 0;
1125 break;
1126 }
1127 } else {
1128 algo_strength = ca_list[j]->algo_strength &
SSL_STRONG_MASK;
1129 }
1130 }
1131
1132 if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) {
1133 if (algo_strength & SSL_DEFAULT_MASK) {
1134 algo_strength &=
1135 (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) |
1136 ~SSL_DEFAULT_MASK;
1137 if (!(algo_strength & SSL_DEFAULT_MASK)) {
1138 found = 0;
1139 break;
1140 }
1141 } else {
1142 algo_strength |=
1143 ca_list[j]->algo_strength & SSL_DEFAULT_MASK;
1144 }
1145 }
1146
1147 if (ca_list[j]->valid) {
1148 /*
1149 * explicit ciphersuite found; its protocol version
does not
1150 * become part of the search pattern!
1151 */
1152
1153 cipher_id = ca_list[j]->id;
1154 } else {
1155 /*
1156 * not an explicit ciphersuite; only in this case, the
1157 * protocol version is considered part of the search
pattern
1158 */
1159
1160 if (ca_list[j]->min_tls) {
1161 if (min_tls != 0 && min_tls != ca_list[j]->min_tls)
{
1162 found = 0;
1163 break;
1164 } else {
1165 min_tls = ca_list[j]->min_tls;
1166 }
1167 }
1168 }
1169
1170 if (!multi)
1171 break;
1172 }
1173
1174 /*
1175 * Ok, we have the rule, now apply it
1176 */
1177 if (rule == CIPHER_SPECIAL) { /* special command */
1178 ok = 0;
1179 if ((buflen == 8) && strncmp(buf, "STRENGTH", 8) == 0) {
1180 ok = ssl_cipher_strength_sort(head_p, tail_p);
1181 } else if (buflen == 10 && strncmp(buf, "SECLEVEL=", 9) ==
0) {
1182 int level = buf[9] - '0';
1183 if (level < 0 || level > 5) {
1184 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
1185 SSL_R_INVALID_COMMAND);
1186 } else {
1187 c->sec_level = level;
1188 ok = 1;
1189 }
1190 } else {
1191 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
SSL_R_INVALID_COMMAND);
1192 }
1193 if (ok == 0)
1194 retval = 0;
1195 /*
1196 * We do not support any "multi" options
1197 * together with "@", so throw away the
1198 * rest of the command, if any left, until
1199 * end or ':' is found.
1200 */
(gdb) print *cmds
$12 = {cmd = 0x5555556bc800 "MinProtocol", arg = 0x5555556bc820 "TLSv1.2"}
root@debian:/etc# grep MinProtocol . -R
./ssl/openssl.cnf:MinProtocol = TLSv1.2
root@debian:/etc# grep SECLEVEL /etc/ssl/openssl.cnf
CipherString = DEFAULT@SECLEVEL=2
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907015
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907518
https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
