Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-09-05 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sun, 2016-09-04 at 18:01 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Tue, 2016-08-23 at 21:47 +0200, Kurt Roeckx wrote:
> > The current debdiff we'd like to upload is:
> > diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog
> > --- openssl-1.0.1t/debian/changelog 2016-05-15 21:16:55.0 +0200
> > +++ openssl-1.0.1t/debian/changelog 2016-06-11 19:18:11.0 +0200
> > @@ -1,3 +1,14 @@
> > +openssl (1.0.1t-1+deb8u3) jessie; urgency=medium
> > +
> > +  [ Kurt Roeckx ]
> > +  * Fix length check for CRLs. (Closes: #826552)
> > +
> > +  [ Sebastian Andrzej Siewior ]
> > +  * Enable asm optimisation for s390x. Patch by Dimitri John Ledkov.
> > +(Closes: #833156).
> 
> Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-09-05 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + pending
Bug #827054 [release.debian.org] jessie-pu: package openssl/1.0.1t-1+deb8u3
Added tag(s) pending.

-- 
827054: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827054
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-09-04 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Tue, 2016-08-23 at 21:47 +0200, Kurt Roeckx wrote:
> The current debdiff we'd like to upload is:
> diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog
> --- openssl-1.0.1t/debian/changelog   2016-05-15 21:16:55.0 +0200
> +++ openssl-1.0.1t/debian/changelog   2016-06-11 19:18:11.0 +0200
> @@ -1,3 +1,14 @@
> +openssl (1.0.1t-1+deb8u3) jessie; urgency=medium
> +
> +  [ Kurt Roeckx ]
> +  * Fix length check for CRLs. (Closes: #826552)
> +
> +  [ Sebastian Andrzej Siewior ]
> +  * Enable asm optimisation for s390x. Patch by Dimitri John Ledkov.
> +(Closes: #833156).

Please go ahead.

Regards,

Adam

Processed: Re: Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-09-04 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #827054 [release.debian.org] jessie-pu: package openssl/1.0.1t-1+deb8u3
Added tag(s) confirmed.

-- 
827054: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827054
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-09-04 Thread Kurt Roeckx 
On Tue, Aug 23, 2016 at 09:47:22PM +0200, Kurt Roeckx wrote:
> The current debdiff we'd like to upload is:
> diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog
> --- openssl-1.0.1t/debian/changelog   2016-05-15 21:16:55.0 +0200
> +++ openssl-1.0.1t/debian/changelog   2016-06-11 19:18:11.0 +0200
> @@ -1,3 +1,14 @@
> +openssl (1.0.1t-1+deb8u3) jessie; urgency=medium
> +
> +  [ Kurt Roeckx ]
> +  * Fix length check for CRLs. (Closes: #826552)
> +
> +  [ Sebastian Andrzej Siewior ]
> +  * Enable asm optimisation for s390x. Patch by Dimitri John Ledkov.
> +(Closes: #833156).
> +
> + -- Kurt Roeckx   Sat, 11 Jun 2016 19:18:11 +0200
> +
>  openssl (1.0.1t-1+deb8u2) jessie; urgency=medium

Ping?


Kurt

Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-08-23 Thread Kurt Roeckx 
The current debdiff we'd like to upload is:
diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog
--- openssl-1.0.1t/debian/changelog 2016-05-15 21:16:55.0 +0200
+++ openssl-1.0.1t/debian/changelog 2016-06-11 19:18:11.0 +0200
@@ -1,3 +1,14 @@
+openssl (1.0.1t-1+deb8u3) jessie; urgency=medium
+
+  [ Kurt Roeckx ]
+  * Fix length check for CRLs. (Closes: #826552)
+
+  [ Sebastian Andrzej Siewior ]
+  * Enable asm optimisation for s390x. Patch by Dimitri John Ledkov.
+(Closes: #833156).
+
+ -- Kurt Roeckx   Sat, 11 Jun 2016 19:18:11 +0200
+
 openssl (1.0.1t-1+deb8u2) jessie; urgency=medium
 
   * add Update-S-MIME-certificates.patch to update expired certificates to
diff -Nru openssl-1.0.1t/debian/patches/debian-targets.patch 
openssl-1.0.1t/debian/patches/debian-targets.patch
--- openssl-1.0.1t/debian/patches/debian-targets.patch  2016-05-01 
23:53:42.0 +0200
+++ openssl-1.0.1t/debian/patches/debian-targets.patch  2016-06-11 
19:18:11.0 +0200
@@ -56,7 +56,7 @@
 +"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO 
${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK 
DES_RISC1 
DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"debian-ppc64el","gcc:-m64 -DL_ENDIAN -DTERMIO 
${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK 
DES_RISC1 
DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"debian-s390","gcc:-DB_ENDIAN -DTERMIO 
${debian_cflags}::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT 
DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
-+"debian-s390x","gcc:-DB_ENDIAN -DTERMIO 
${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK 
DES_INT 
DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-s390x","gcc:-DB_ENDIAN -DTERMIO 
${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK 
DES_INT 
DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"debian-sh3",   "gcc:-DL_ENDIAN -DTERMIO 
${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"debian-sh4",   "gcc:-DL_ENDIAN -DTERMIO 
${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"debian-sh3eb",   "gcc:-DB_ENDIAN -DTERMIO 
${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
diff -Nru openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch 
openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch
--- openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch 
1970-01-01 01:00:00.0 +0100
+++ openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch 
2016-06-11 19:16:05.0 +0200
@@ -0,0 +1,40 @@
+From b583c1bd069f6928c3973dc6d6864930f6c4bb3e Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" 
+Date: Wed, 4 May 2016 16:09:06 +0100
+Subject: [PATCH] Fix name length limit check.
+
+The name length limit check in x509_name_ex_d2i() includes
+the containing structure as well as the actual X509_NAME. This will
+cause large CRLs to be rejected.
+
+Fix by limiting the length passed to ASN1_item_ex_d2i() which will
+then return an error if the passed X509_NAME exceeds the length.
+
+RT#4531
+
+Reviewed-by: Rich Salz 
+(cherry picked from commit 4e0d184ac1dde845ba9574872e2ae5c903c81dff)
+---
+ crypto/asn1/x_name.c | 6 ++
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
+index a858c29..26378fd 100644
+--- a/crypto/asn1/x_name.c
 b/crypto/asn1/x_name.c
+@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
+ int i, j, ret;
+ STACK_OF(X509_NAME_ENTRY) *entries;
+ X509_NAME_ENTRY *entry;
+-if (len > X509_NAME_MAX) {
+-ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+-return 0;
+-}
++if (len > X509_NAME_MAX)
++len = X509_NAME_MAX;
+ q = p;
+ 
+ /* Get internal representation of Name */
+-- 
+2.8.1
+
diff -Nru openssl-1.0.1t/debian/patches/series 
openssl-1.0.1t/debian/patches/series
--- openssl-1.0.1t/debian/patches/series2016-05-15 21:16:55.0 
+0200
+++ openssl-1.0.1t/debian/patches/series2016-06-11 19:18:11.0 
+0200
@@ -20,3 +20,4 @@
 openssl_fix_for_x32.patch
 ppc64el.patch
 Update-S-MIME-certificates.patch
+Fix-name-length-limit-check.patch

Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-06-27 Thread Kurt Roeckx 
I guess I should just keep the SSLv2 symbols.  I assume you don't
have a problem with the other change?


Kurt

Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-06-13 Thread Kurt Roeckx 
On Mon, Jun 13, 2016 at 10:19:29AM +0200, Julien Cristau wrote:
> On Mon, Jun 13, 2016 at 00:50:05 +0200, Kurt Roeckx wrote:
> 
> > I should probably add that I don't intend to fix this in
> > testing/unstable.  There are probably reverse dependencies that
> > saw those symbols are available and then started using them again,
> > and so it would break things.  But I'm going to change to the 1.1
> 
> Doesn't the same reasoning apply to stable?

There currently shouldn't be reverse dependencies that saw the
defines so it could pick up the symbols, but the longer it stays
like this the more likely some upload will see it and use it.

> Why was this not caught when updating the libssl1.0.2.symbols file for
> the new release?

The .symbols files just looks like:
libcrypto.so.1.0.2 libssl1.0.2 #MINVER#
 *@OPENSSL_1.0.2d 1.0.2d
 *@OPENSSL_1.0.2g 1.0.2g
libssl.so.1.0.2 libssl1.0.2 #MINVER#
 *@OPENSSL_1.0.2d 1.0.2d
 *@OPENSSL_1.0.2g 1.0.2g

And the symbols already "existed", they were just not exported.

> > soname soon anyway, and it'll get fixed at that point.  Also, the
> > symbols are available but if you try to use them it's not going to
> > do anything useful.
> > 
> 
> > But I'd like to remove them in stable again, since nothing there
> > should use on it now, and it broke something.
> > 
> Can you be more specific than "broke something"?

https://github.com/openssl/openssl/issues/1190

But I guess that will solve itself.


Kurt

Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-06-13 Thread Julien Cristau 
On Mon, Jun 13, 2016 at 00:50:05 +0200, Kurt Roeckx wrote:

> I should probably add that I don't intend to fix this in
> testing/unstable.  There are probably reverse dependencies that
> saw those symbols are available and then started using them again,
> and so it would break things.  But I'm going to change to the 1.1

Doesn't the same reasoning apply to stable?

Why was this not caught when updating the libssl1.0.2.symbols file for
the new release?

> soname soon anyway, and it'll get fixed at that point.  Also, the
> symbols are available but if you try to use them it's not going to
> do anything useful.
> 

> But I'd like to remove them in stable again, since nothing there
> should use on it now, and it broke something.
> 
Can you be more specific than "broke something"?

Cheers,
Julien

Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-06-12 Thread Kurt Roeckx 
On Sat, Jun 11, 2016 at 11:35:24PM +0200, Kurt Roeckx wrote:
> On Sat, Jun 11, 2016 at 09:57:29PM +0100, Adam D. Barratt wrote:
> > Control: tags -1 + moreinfo
> > 
> > On Sat, 2016-06-11 at 19:38 +0200, Kurt Roeckx wrote:
> > > The SSLv2 methods actually didn't exist in jessie, but some
> > > defaults where changed and the SSLv2 methods now in jessie just
> > > return NULL.  This removes the symbols again.  Exposing the
> > > symbols in the headers actually seems to have broken something,
> > > so this removes them again.  It was actually never the intention
> > > to introduce those symbols again.
> > [...]
> > > -CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl 
> > > --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib  
> > > enable-tlsext no-ssl2 no-ssl3
> > > +CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl 
> > > --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib 
> > > enable-tlsext no-ssl2 no-ssl2-method no-ssl3
> > 
> > Does this also affect the 1.0.2 tree? The 1.0.2h package in unstable has
> > no-ssl2, no-ssl3, no-ssl3-method but not no-ssl2-method.
> 
> You're right, it has the same problem.  I completly forgot that, and
> I even commited that myself.
> 
> The reason for splitting no-ssl2 into no-ssl2 and no-ssl2-method
> is that we turned no-ssl2 on by default and people were suprised
> that SSLv2_* methods actually got removed and it of course broke
> various distributions that didn't builld with no-ssl2.  So we
> changed the default to make those funtions return NULL instead by
> default, and then remove them with no-ssl2-method.

I should probably add that I don't intend to fix this in
testing/unstable.  There are probably reverse dependencies that
saw those symbols are available and then started using them again,
and so it would break things.  But I'm going to change to the 1.1
soname soon anyway, and it'll get fixed at that point.  Also, the
symbols are available but if you try to use them it's not going to
do anything useful.

But I'd like to remove them in stable again, since nothing there
should use on it now, and it broke something.


Kurt

Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-06-11 Thread Kurt Roeckx 
On Sat, Jun 11, 2016 at 09:57:29PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On Sat, 2016-06-11 at 19:38 +0200, Kurt Roeckx wrote:
> > The SSLv2 methods actually didn't exist in jessie, but some
> > defaults where changed and the SSLv2 methods now in jessie just
> > return NULL.  This removes the symbols again.  Exposing the
> > symbols in the headers actually seems to have broken something,
> > so this removes them again.  It was actually never the intention
> > to introduce those symbols again.
> [...]
> > -CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl 
> > --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib  
> > enable-tlsext no-ssl2 no-ssl3
> > +CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl 
> > --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib 
> > enable-tlsext no-ssl2 no-ssl2-method no-ssl3
> 
> Does this also affect the 1.0.2 tree? The 1.0.2h package in unstable has
> no-ssl2, no-ssl3, no-ssl3-method but not no-ssl2-method.

You're right, it has the same problem.  I completly forgot that, and
I even commited that myself.

The reason for splitting no-ssl2 into no-ssl2 and no-ssl2-method
is that we turned no-ssl2 on by default and people were suprised
that SSLv2_* methods actually got removed and it of course broke
various distributions that didn't builld with no-ssl2.  So we
changed the default to make those funtions return NULL instead by
default, and then remove them with no-ssl2-method.


Kurt

Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-06-11 Thread Adam D. Barratt 
Control: tags -1 + moreinfo

On Sat, 2016-06-11 at 19:38 +0200, Kurt Roeckx wrote:
> The SSLv2 methods actually didn't exist in jessie, but some
> defaults where changed and the SSLv2 methods now in jessie just
> return NULL.  This removes the symbols again.  Exposing the
> symbols in the headers actually seems to have broken something,
> so this removes them again.  It was actually never the intention
> to introduce those symbols again.
[...]
> -CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl 
> --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib  
> enable-tlsext no-ssl2 no-ssl3
> +CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl 
> --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib 
> enable-tlsext no-ssl2 no-ssl2-method no-ssl3

Does this also affect the 1.0.2 tree? The 1.0.2h package in unstable has
no-ssl2, no-ssl3, no-ssl3-method but not no-ssl2-method.

Regards,

Adam

Processed: Re: Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-06-11 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + moreinfo
Bug #827054 [release.debian.org] jessie-pu: package openssl/1.0.1t-1+deb8u3
Added tag(s) moreinfo.

-- 
827054: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827054
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3

2016-06-11 Thread Kurt Roeckx 
Package: release.debian.org
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to update the version in stable for openssl.  See the
debdiff below.

The SSLv2 methods actually didn't exist in jessie, but some
defaults where changed and the SSLv2 methods now in jessie just
return NULL.  This removes the symbols again.  Exposing the
symbols in the headers actually seems to have broken something,
so this removes them again.  It was actually never the intention
to introduce those symbols again.

The other fix is a regression.

There are also some open CVEs in upstream git, but I'll wait with
those until there is actually a new release.


Kurt

diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog
--- openssl-1.0.1t/debian/changelog 2016-05-15 21:16:55.0 +0200
+++ openssl-1.0.1t/debian/changelog 2016-06-11 19:20:02.0 +0200
@@ -1,3 +1,11 @@
+openssl (1.0.1t-1+deb8u3) jessie; urgency=medium
+
+  * Disable SSLv2 methods again, changes upstream has split no-ssl2 into
+no-ssl2 and no-ssl2-method
+  * Fix length check for CRLs. (Closes: #826552)
+
+ -- Kurt Roeckx   Sat, 11 Jun 2016 19:18:11 +0200
+
 openssl (1.0.1t-1+deb8u2) jessie; urgency=medium
 
   * add Update-S-MIME-certificates.patch to update expired certificates to
diff -Nru openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch 
openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch
--- openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch 
1970-01-01 01:00:00.0 +0100
+++ openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch 
2016-06-11 19:16:05.0 +0200
@@ -0,0 +1,40 @@
+From b583c1bd069f6928c3973dc6d6864930f6c4bb3e Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" 
+Date: Wed, 4 May 2016 16:09:06 +0100
+Subject: [PATCH] Fix name length limit check.
+
+The name length limit check in x509_name_ex_d2i() includes
+the containing structure as well as the actual X509_NAME. This will
+cause large CRLs to be rejected.
+
+Fix by limiting the length passed to ASN1_item_ex_d2i() which will
+then return an error if the passed X509_NAME exceeds the length.
+
+RT#4531
+
+Reviewed-by: Rich Salz 
+(cherry picked from commit 4e0d184ac1dde845ba9574872e2ae5c903c81dff)
+---
+ crypto/asn1/x_name.c | 6 ++
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
+index a858c29..26378fd 100644
+--- a/crypto/asn1/x_name.c
 b/crypto/asn1/x_name.c
+@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
+ int i, j, ret;
+ STACK_OF(X509_NAME_ENTRY) *entries;
+ X509_NAME_ENTRY *entry;
+-if (len > X509_NAME_MAX) {
+-ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+-return 0;
+-}
++if (len > X509_NAME_MAX)
++len = X509_NAME_MAX;
+ q = p;
+ 
+ /* Get internal representation of Name */
+-- 
+2.8.1
+
diff -Nru openssl-1.0.1t/debian/patches/series 
openssl-1.0.1t/debian/patches/series
--- openssl-1.0.1t/debian/patches/series2016-05-15 21:16:55.0 
+0200
+++ openssl-1.0.1t/debian/patches/series2016-06-11 19:19:06.0 
+0200
@@ -20,3 +20,4 @@
 openssl_fix_for_x32.patch
 ppc64el.patch
 Update-S-MIME-certificates.patch
+Fix-name-length-limit-check.patch
diff -Nru openssl-1.0.1t/debian/rules openssl-1.0.1t/debian/rules
--- openssl-1.0.1t/debian/rules 2016-05-06 14:16:42.0 +0200
+++ openssl-1.0.1t/debian/rules 2016-06-11 19:18:36.0 +0200
@@ -26,7 +26,7 @@
export CROSS_COMPILE ?= $(DEB_HOST_GNU_TYPE)-
 endif
 
-CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl 
--libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib  
enable-tlsext no-ssl2 no-ssl3
+CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl 
--libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext 
no-ssl2 no-ssl2-method no-ssl3
 OPT_alpha = ev4 ev5
 OPT_i386  = i586 i686/cmov
 ARCHOPTS  = OPT_$(DEB_HOST_ARCH)