On Sep 16, 2017, at 12:57 PM, John Found <johnfo...@asm32.info> wrote:
> On Sat, 16 Sep 2017 13:44:51 -0500
> Andy Goth <andrew.m.g...@gmail.com> wrote:
>> Please type "openssl version" and let us know what it prints.
> OpenSSL 1.1.0f  25 May 2017

There’s a known bug in that version of OpenSSL which was fixed in the very next 
version, 1.1.1.  

Quoting from the OpenSSL 1.1.1 ChangeLog:

>  *) Rewrite of BIO networking library. The BIO library lacked consistent
>     support of IPv6, and adding it required some more extensive
>     modifications.  This introduces the BIO_ADDR and BIO_ADDRINFO types,
>     which hold all types of addresses and chains of address information.
>     It also introduces a new API, with functions like BIO_socket,
>     BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
>     The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
>     have been adapted accordingly.
>     [Richard Levitte]

One solution you have, therefore, is to install the source code for OpenSSL 
1.1.1 or 1.0.2n into compat/openssl under the Fossil source tree, build the 
library, then reconfigure Fossil, adding --with-openssl=tree to whatever other 
options you’d normally use.

You may need to add this to your ~/.profile:

    export SSL_CERT_DIR=/etc/ssl/certs

This non-platform version of OpenSSL will not be able to find your platform CA 
certificate store otherwise.

Another solution is simply to disable IPv6 everywhere in your system.

A third solution would be to lean on Debian/Raspbian/Ubuntu, etc. to backport 
this fix from 1.1.1 to 1.1.0f.  I don’t hold out much hope on this since the 
fix is described as a “rewrite” of a core I/O library.

Therefore, a fourth solution is to simply ignore it until 2020 or so, by which 
time you should have a new version of your stable OS’s core libraries, as long 
as you’re willing to upgrade at that time.
fossil-users mailing list

Reply via email to