Package: openssl Version: 0.9.8o-4squeeze1 Severity: normal
After upgrading to OpenSSL 1.0.0d-3, I noticed two problems over 0.9.8: 1) OCSP server only uses ipv6 2) OCSP server only binds to localhost I worked around the ipv6 issue by disabling ipv6 altogether on the Debian host. The second issue was worked around by downloading/building the source from http://www.openssl.org/source/openssl-1.0.0d.tar.gz not using the debian packaging, since I'm not sure how it works with that subversion stuff tbh. After installing it into /usr/local/ssl/bin/openssl, it now successfully binds to * (INADDR_ANY, IIUC). I next tried to work out how the Debian pacakge patches crypto/bio/b_sock.c if at all. And I couldn't see any changes there. So I'm at a loss. Unfortunately testing the OCSP responder is a bit tricky, since you need a bunch of keys setup. Example invocation I'm using is: sudo /usr/local/ssl/bin/openssl ocsp -index demoCA/index.txt -port 8080 -rsigner demoCA/rsigner.pem -rkey demoCA/rkey-unencrypted.pem -CA demoCA/CA.pem -text -ndays 7 Many thanks, -- System Information: Debian Release: 6.0.1 APT prefers stable APT policy: (700, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-xen-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages openssl depends on: ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libssl0.9.8 0.9.8o-4squeeze1 SSL shared libraries ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20090814+nmu2 Common CA certificates -- Configuration Files: /etc/ssl/openssl.cnf changed [not included] -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org