Control: reassign -1 apt 3.0.3
On 2026-06-19 09:37:09 [+0200], Julian Andres Klode wrote:
> This seems to be a bug in OpenSSL, and the proposed workaround is
> wholly inappropriate. This also points out there is _another_ bug
> somewhere, as we _should_ have raised this error _before_ we enter
> the Read/Write functions.
Moving back to apt after consulting with upstream, the details are in
https://github.com/openssl/openssl/issues/31624
There is:
| The correct fix is for the application (apt in this case), to do what
| postgresql did, and call ERR_clear_error(), prior to a subsequent SSL
| call.
and
| I want to add one nuance after checking the source code of 3.5: I'm not
| convinced that upstream libssl 3.5.6 is the source of the stale
| MD5/MD5-SHA1 error described here. In the code, the optional digest
| fetch helper ssl_evp_md_fetch uses ERR_set_mark / ERR_pop_to_mark, and
| the sigalg probing code is also protected.
|
| Apt source code also uses OpenSSL EVP digest code outside the TLS path,
| including MD5 hashing, so there may be more than one possible source of
| a stale FIPS/provider error before the later TLS I/O.

> Thanks!
Sebastian
