Bug#1008062: marked as done (buster-pu: package gnutls28/3.6.7-4+deb10u7.1)

Debian Bug Tracking System Sat, 10 Sep 2022 05:51:17 -0700

Your message dated Sat, 10 Sep 2022 13:40:55 +0100
with message-id 
<2cfc9645343bdb910fe19c07bddfec2c428346a3.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 10.13
has caused the Debian Bug report #1008062,
regarding buster-pu: package gnutls28/3.6.7-4+deb10u7.1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1008062: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008062
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
User: [email protected]
Usertags: pu
Tags: buster
Severity: normal

I prepared an update to fix the debci regression caused by the openssl
update. The complete analysis is in #959469.

The patch affects only the testsuite which is run as part of debci. The
testsuite which is run as part of the build build process is not
affeccted. The runtime code of the package is also not affected by the
patch.
Therefore I believe the impact is minimal.
I did verify this change in a local chroot.

Sebastian

diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog	2021-05-14 13:33:38.000000000 +0200
+++ gnutls28-3.6.7/debian/changelog	2022-03-21 14:52:01.000000000 +0100
@@ -1,3 +1,11 @@
+gnutls28 (3.6.7-4+deb10u7.1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport testcompat-openssl-improve-testing-against-secured-O.patch to
+    pass testsuite with openssl 1.1.1e.
+
+ -- Sebastian Andrzej Siewior <[email protected]>  Mon, 21 Mar 2022 14:52:01 +0100
+
 gnutls28 (3.6.7-4+deb10u7) buster; urgency=medium
 
   * 46_handshake-reject-no_renegotiation-alert-if-handshake.patch pulled from
diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series
--- gnutls28-3.6.7/debian/patches/series	2021-05-11 18:13:03.000000000 +0200
+++ gnutls28-3.6.7/debian/patches/series	2022-03-21 08:35:24.000000000 +0100
@@ -23,3 +23,4 @@
 47_rel3.6.16_04-pre_shared_key-avoid-use-after-free-around-realloc.patch
 47_rel3.6.16_05-_gnutls_buffer_resize-account-for-unused-area-if-AGG.patch
 47_rel3.6.16_06-str-suppress-Wunused-function-if-AGGRESSIVE_REALLOC-.patch
+testcompat-openssl-improve-testing-against-secured-O.patch
diff -Nru gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch
--- gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch	2022-03-21 08:37:07.000000000 +0100
@@ -0,0 +1,274 @@
+From: Dimitri John Ledkov <[email protected]>
+Date: Mon, 21 Mar 2022 07:44:25 +0100
+Subject: [PATCH] testcompat-openssl: improve testing against secured OpenSSL
+
+[bigeasy: This is backport of commit fbd3e261513d641dce6bd1b2c368ce25e79dc094 ]
+
+In Debian, and soon Ubuntu, OpenSSL is compiled with SECLEVEL=2 and
+requiring minimum TLSv1.2. However, smaller hashes/keys/versions are
+allowed if one enables SECLEVEL=1. Do so when testing pre v1.2 algos,
+and thus enabling testing more compatability combinations.
+
+Signed-off-by: Dimitri John Ledkov <[email protected]>
+Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
+---
+ tests/suite/testcompat-main-openssl | 67 +++++++++++++----------------
+ 1 file changed, 30 insertions(+), 37 deletions(-)
+
+diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl
+index d2708bfa8c710..2ea762faebaca 100755
+--- a/tests/suite/testcompat-main-openssl
++++ b/tests/suite/testcompat-main-openssl
+@@ -74,7 +74,6 @@ NO_TLS1_2=$?
+ 
+ test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2"
+ 
+-
+ ${SERV} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1
+ if test $? = 0;then
+ 	NO_DH_PARAMS=0
+@@ -82,18 +81,8 @@ else
+ 	NO_DH_PARAMS=1
+ fi
+ 
+-# Do not use DSS or curves <=256 bits in 1.1.1+ because these
+-# are not accepted by openssl on debian.
+-${SERV} version|grep -e '[1-9]\.[1-9]\.[1-9]' >/dev/null 2>&1
+-if test $? = 0;then
+-	NO_DSS=1
+-	FIPS_CURVES=1
+-else
+-	${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1
+-	NO_DSS=$?
+-fi
+-
+-test $FIPS_CURVES = 1 && echo "Running with FIPS140-2 enabled curves enabled"
++${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1
++NO_DSS=$?
+ 
+ if test $NO_DSS != 0;then
+ 	echo "Disabling interop tests for DSS ciphersuites"
+@@ -121,6 +110,10 @@ NO_NULL=$?
+ 
+ test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites"
+ 
++${SERV} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1
++NO_PRIME192v1=$?
++
++test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam"
+ 
+ if test "${NO_DH_PARAMS}" = 0;then
+ 	OPENSSL_DH_PARAMS_OPT=""
+@@ -218,7 +211,7 @@ run_client_suite() {
+ 
+ 	#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
++	launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+ 	PID=$!
+ 	wait_server ${PID}
+ 
+@@ -267,9 +260,9 @@ run_client_suite() {
+ 	kill ${PID}
+ 	wait
+ 
+-	if test "${FIPS_CURVES}" != 1; then
++	if test "${FIPS_CURVES}" != 1 && test "${NO_PRIME192v1}" != 1; then
+ 		eval "${GETPORT}"
+-		launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null
++		launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null
+ 		PID=$!
+ 		wait_server ${PID}
+ 
+@@ -283,7 +276,7 @@ run_client_suite() {
+ 
+ 		#-cipher ECDHE-ECDSA-AES128-SHA
+ 		eval "${GETPORT}"
+-		launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null
++		launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null
+ 		PID=$!
+ 		wait_server ${PID}
+ 
+@@ -298,7 +291,7 @@ run_client_suite() {
+ 
+ 	#-cipher ECDHE-ECDSA-AES128-SHA
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null
++	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null
+ 	PID=$!
+ 	wait_server ${PID}
+ 
+@@ -312,7 +305,7 @@ run_client_suite() {
+ 
+ 	#-cipher ECDHE-ECDSA-AES128-SHA
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null
++	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null
+ 	PID=$!
+ 	wait_server ${PID}
+ 
+@@ -326,7 +319,7 @@ run_client_suite() {
+ 
+ 	#-cipher PSK
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null
++	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher 'PSK:@SECLEVEL=1' -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null
+ 	PID=$!
+ 	wait_server ${PID}
+ 
+@@ -341,7 +334,7 @@ run_client_suite() {
+ 		# Tests requiring openssl 1.0.1 - TLS 1.2
+ 		#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA
+ 		eval "${GETPORT}"
+-		launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
++		launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+ 		PID=$!
+ 		wait_server ${PID}
+ 
+@@ -442,7 +435,7 @@ run_client_suite() {
+ 	wait
+ 
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
++	launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+ 	PID=$!
+ 	wait_udp_server ${PID}
+ 
+@@ -455,7 +448,7 @@ run_client_suite() {
+ 	wait
+ 
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
++	launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+ 	PID=$!
+ 	wait_udp_server ${PID}
+ 
+@@ -469,7 +462,7 @@ run_client_suite() {
+ 
+ 	if test "${NO_DSS}" = 0; then
+ 		eval "${GETPORT}"
+-		launch_bare_server $$ s_server -cipher "ALL" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
++		launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+ 		PID=$!
+ 		wait_udp_server ${PID}
+ 
+@@ -591,7 +584,7 @@ run_server_suite() {
+ 	PID=$!
+ 	wait_server ${PID}
+ 
+-	${OPENSSL_CLI} s_client -cipher DHE -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++	${OPENSSL_CLI} s_client -cipher DHE:@SECLEVEL=1 -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -604,7 +597,7 @@ run_server_suite() {
+ 		PID=$!
+ 		wait_server ${PID}
+ 
+-		${OPENSSL_CLI} s_client -host localhost -cipher ALL -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++		${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 			fail ${PID} "Failed"
+ 
+ 		kill ${PID}
+@@ -618,7 +611,7 @@ run_server_suite() {
+ 	wait_server ${PID}
+ 
+ 	#-cipher ECDHE-RSA-AES128-SHA
+-	${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++	${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -632,7 +625,7 @@ run_server_suite() {
+ 		wait_server ${PID}
+ 
+ 		#-cipher ECDHE-ECDSA-AES128-SHA
+-		${OPENSSL_CLI} s_client -host localhost -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++		${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 			fail ${PID} "Failed"
+ 
+ 		kill ${PID}
+@@ -646,7 +639,7 @@ run_server_suite() {
+ 	wait_server ${PID}
+ 
+ 	#-cipher ECDHE-ECDSA-AES128-SHA
+-	${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++	${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -659,7 +652,7 @@ run_server_suite() {
+ 	wait_server ${PID}
+ 
+ 	#-cipher ECDHE-ECDSA-AES128-SHA
+-	${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++	${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -673,7 +666,7 @@ run_server_suite() {
+ 		wait_server ${PID}
+ 
+ 		#-cipher ECDHE-ECDSA-AES128-SHA
+-		${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++		${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 			fail ${PID} "Failed"
+ 
+ 		kill ${PID}
+@@ -687,7 +680,7 @@ run_server_suite() {
+ 	wait_server ${PID}
+ 
+ 	#-cipher PSK-AES128-SHA
+-	${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \
++	${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -726,7 +719,7 @@ run_server_suite() {
+ 			PID=$!
+ 			wait_server ${PID}
+ 
+-			${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher ALL -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++			${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 				fail ${PID} "Failed"
+ 
+ 			kill ${PID}
+@@ -768,7 +761,7 @@ run_server_suite() {
+ 			wait_server ${PID}
+ 
+ 			#-cipher ECDHE-ECDSA-AES128-SHA
+-			${OPENSSL_CLI} s_client -host localhost -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++			${OPENSSL_CLI} s_client -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 				fail ${PID} "Failed"
+ 
+ 			kill ${PID}
+@@ -839,7 +832,7 @@ run_server_suite() {
+ 	wait_udp_server ${PID}
+ 
+ 
+-	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -853,7 +846,7 @@ run_server_suite() {
+ 	wait_udp_server ${PID}
+ 
+ 
+-	${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++	${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -868,7 +861,7 @@ run_server_suite() {
+ 		wait_udp_server ${PID}
+ 
+ 
+-		${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher ALL -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++		${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 			fail ${PID} "Failed"
+ 
+ 		kill ${PID}
+-- 
+2.35.1
+

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.13

Hi,

Each of the updates referenced in these bugs was included in today's
10.13 point release.

Regards,

Adam

--- End Message ---

Bug#1008062: marked as done (buster-pu: package gnutls28/3.6.7-4+deb10u7.1)

Reply via email to