Control: found -1 0.14.0-1 Control: tags -1 + confirmed Control: retitle -1 spice: FTBFS if openssl/1.1.1-1 is installed (with new defaults via /etc/ssl/openssl.cnf)
Hi Bernhard, On Tue, Oct 09, 2018 at 02:36:55PM +0200, Bernhard ??belacker wrote: > Hello Salvatore Bonaccorso, > just tried to find some information without deeper knowledge > of spice or openssl. > > In the end I think the update of openssl from 1.1.0h-4 to > 1.1.1-4 makes the difference. > > Since some 1.1.1 version /etc/ssl/openssl.cnf seems to contain: > CipherString = DEFAULT@SECLEVEL=2 > > This level is responsible to not accept the 80 bits used in > the certificate in this test, while we need at least 112 bits. Thanks for tracking this down, with a detailed analysis, this is indeed seems the problem. Previous installations of the chroots did not contain the openssl package, and correlating then with the openssl update as well 0.14.0-1 would fail. ca-certificates is not part of the needed Build-Depends, but recently buildd chroots started to include apt-transport-https, inclduing openssl as dependency and now uncovering this issue. > Therefore I assume upstream should replace this certificate. Ack, this seems right. Salvatore
