Thanks. I expect that this might be due to the last change - erroring out on an expired self-signed root cert. Though I thought we didn’t check in a root cert for our test chain...could Debian’s packaging be including a cert for testing?
I will try to take a look this week with Debian sid...I assume it has 1.1.1i already? — justin On Sun, Dec 27, 2020 at 10:39 AM James McCoy <james...@debian.org> wrote: > On Sat, Dec 26, 2020 at 11:09:41PM +0100, Lucas Nussbaum wrote: > > Source: serf > > Version: 1.3.9-8 > > [...] > > > Trailer-Test: f > > > ...........F...................................................... > > > > > > There was 1 failure: > > > 1) test_ssl_handshake: test/test_util.c:456: expected <0> but was > <120199> > > It looks like the change from libssl1.1 version 1.1.1h to 1.1.1i > regressed this test. > > The documented changes between these two releases are: > > Changes between 1.1.1h and 1.1.1i [8 Dec 2020] > > *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function > This function could crash if both GENERAL_NAMEs contain an > EDIPARTYNAME. > If an attacker can control both items being compared then this could > lead > to a possible denial of service attack. OpenSSL itself uses the > GENERAL_NAME_cmp function for two purposes: > 1) Comparing CRL distribution point names between an available CRL > and a > CRL distribution point embedded in an X509 certificate > 2) When verifying that a timestamp response token signer matches the > timestamp authority name (exposed via the API functions > TS_RESP_verify_response and TS_RESP_verify_token) > (CVE-2020-1971) > [Matt Caswell] > > *) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc > target. > [Stuart Carnie] > > *) The security callback, which can be customised by application code, > supports > the security operation SSL_SECOP_TMP_DH. This is defined to take an > EVP_PKEY > in the "other" parameter. In most places this is what is passed. All > these > places occur server side. However there was one client side call of > this > security operation and it passed a DH object instead. This is > incorrect > according to the definition of SSL_SECOP_TMP_DH, and is inconsistent > with all > of the other locations. Therefore this client side call has been > changed to > pass an EVP_PKEY instead. > [Matt Caswell] > > *) In 1.1.1h, an expired trusted (root) certificate was not anymore > rejected > when validating a certificate path. This check is restored in 1.1.1i. > [David von Oheimb] > > The full diff is at > https://github.com/openssl/openssl/compare/OpenSSL_1_1_1h...OpenSSL_1_1_1i > > Cheers, > -- > James > GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB >