<div dir="ltr">Package: openssl<br>Version: 1.1.1d-0+deb10u2<br>Severity: minor<br><br>Dear Maintainer,<br><br>*** Reporter, please consider answering these questions, where appropriate ***<br><br>   * What led up to the situation?<div><br></div><div>$ find debian/ -type f -exec grep SECLEVEL {} +<br>debian/patches/Set-systemwide-default-settings-for-libssl-users.patch:+CipherString = DEFAULT@SECLEVEL=2<br><br>By mistake?         CipherString = DEFAULT@SECLEVEL=2<br>Correctly,          CipherString = DEFAULT:@SECLEVEL=2<br><br>Or less common but, CipherString = DEFAULT @SECLEVEL=2<br>                    CipherString = DEFAULT;@SECLEVEL=2<br>                    CipherString = DEFAULT,@SECLEVEL=2<br><br></div><div>   * What exactly did you do (or not do) that was effective (or<br>     ineffective)?</div><div><br></div><div><div>@ Is not a separator.For example, there is a bug like this<br><br>$ openssl ciphers -V 'DEFAULT:@@SECLEVEL=3:!DH:!DHE:!SSLv3:!TLSv1' | wc -l<br>Error in cipher list<br>140484549702784:error:140E6118:SSL routines:ssl_cipher_process_rulestr:invalid command:../ssl/ssl_ciph.c:1028:<br>140484549702784:error:140E6118:SSL routines:ssl_cipher_process_rulestr:invalid command:../ssl/ssl_ciph.c:1193:<br>0<br><br>$ openssl ciphers -V 'DEFAULT::@SECLEVEL=3:!DH:!DHE:!SSLv3:!TLSv1' | wc -l<br>27<br></div><div></div><div><br></div>   * What was the outcome of this action?</div><div><br></div><div>The format is the same as other documents by adding:.<br></div><div><br></div><div>$ find openssl openssl-1.1.1d/ -type f -exec grep DEFAULT.*SECLEVEL {} +<br>openssl/test/ssl-tests/<a href="http://28-seclevel.conf.in">28-seclevel.conf.in</a>:        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },<br>openssl/test/ssl-tests/<a href="http://28-seclevel.conf.in">28-seclevel.conf.in</a>:        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",<br>openssl/test/ssl-tests/<a href="http://28-seclevel.conf.in">28-seclevel.conf.in</a>:        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",<br>openssl/test/ssl-tests/<a href="http://28-seclevel.conf.in">28-seclevel.conf.in</a>:        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",<br>openssl/test/ssl-tests/28-seclevel.conf:CipherString = DEFAULT:@SECLEVEL=3<br>openssl/test/ssl-tests/28-seclevel.conf:CipherString = DEFAULT:@SECLEVEL=3<br>openssl/test/ssl-tests/28-seclevel.conf:CipherString = DEFAULT:@SECLEVEL=3<br>openssl/test/ssl-tests/28-seclevel.conf:CipherString = DEFAULT:@SECLEVEL=3<br>openssl/debian/patches/Set-systemwide-default-settings-for-libssl-users.patch:+CipherString = DEFAULT@SECLEVEL=2<br>openssl-1.1.1d/test/ssl-tests/<a href="http://28-seclevel.conf.in">28-seclevel.conf.in</a>:        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },<br>openssl-1.1.1d/test/ssl-tests/<a href="http://28-seclevel.conf.in">28-seclevel.conf.in</a>:        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",<br>openssl-1.1.1d/test/ssl-tests/<a href="http://28-seclevel.conf.in">28-seclevel.conf.in</a>:        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",<br>openssl-1.1.1d/test/ssl-tests/<a href="http://28-seclevel.conf.in">28-seclevel.conf.in</a>:        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",<br>openssl-1.1.1d/test/ssl-tests/28-seclevel.conf:CipherString = DEFAULT:@SECLEVEL=3<br>openssl-1.1.1d/test/ssl-tests/28-seclevel.conf:CipherString = DEFAULT:@SECLEVEL=3<br>openssl-1.1.1d/test/ssl-tests/28-seclevel.conf:CipherString = DEFAULT:@SECLEVEL=3<br>openssl-1.1.1d/test/ssl-tests/28-seclevel.conf:CipherString = DEFAULT:@SECLEVEL=3<br><br></div><div>   * What outcome did you expect instead?<br><br>ITEM_SEP = Separator is : or space or ; or ,<br><br>$ grep -A 2 "^#define ITEM_SEP" --color openssl-1.1.1d/ssl/ssl_ciph.c<br>#define ITEM_SEP(a) \<br>        (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))<br><br>@ is one of the rules.<br>rule = \0 or - or + or ! or @<br><br>$ grep "^        ch = \*l;" -B 1 -A 23 openssl-1.1.1d/ssl/ssl_ciph.c<br>    for ( ; ; ) {<br>        ch = *l;<br><br>        if (ch == '\0')<br>            break;              /* done */<br>        if (ch == '-') {<br>            rule = CIPHER_DEL;<br>            l++;<br>        } else if (ch == '+') {<br>            rule = CIPHER_ORD;<br>            l++;<br>        } else if (ch == '!') {<br></div><div>            rule = CIPHER_KILL;<br>            l++;<br>        } else if (ch == '@') {<br>            rule = CIPHER_SPECIAL;<br>            l++;<br>        } else {<br>            rule = CIPHER_ADD;<br>        }<br><br>        if (ITEM_SEP(ch)) {<br>            l++;<br>            continue;<br>        }<br>$ grep -A 8 CHARSET_EBCDIC openssl-1.1.1d/ssl/ssl_ciph.c <br>#ifndef CHARSET_EBCDIC<br>            while (((ch >= 'A') && (ch <= 'Z')) ||<br>                   ((ch >= '0') && (ch <= '9')) ||<br>                   ((ch >= 'a') && (ch <= 'z')) ||<br>                   (ch == '-') || (ch == '.') || (ch == '='))<br>#else<br>            while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')<br>                   || (ch == '='))<br>#endif<br></div><div><br></div><div>*** End of the template - remove these template lines ***<br><br><br>-- System Information:<br>Debian Release: 10.2<br>  APT prefers stable-updates<br>  APT policy: (500, 'stable-updates'), (500, 'stable')<br>Architecture: amd64 (x86_64)<br>Foreign Architectures: i386<br><br>Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)<br>Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE<br>Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), LANGUAGE=ja_JP.UTF-8 (charmap=UTF-8)<br>Shell: /bin/sh linked to /bin/dash<br>Init: systemd (via /run/systemd/system)<br>LSM: AppArmor: enabled<br><br>Versions of packages openssl depends on:<br>ii  libc6      2.28-10<br>ii  libssl1.1  1.1.1d-0+deb10u2<br><br>openssl recommends no packages.<br><br>Versions of packages openssl suggests:<br>ii  ca-certificates  20190110<br><br>-- Configuration Files:<br>/etc/ssl/openssl.cnf changed:<br>HOME                       = .<br>oid_section                = new_oids<br>openssl_conf = default_conf<br>[ new_oids ]<br>tsa_policy1 = 1.2.3.4.1<br>tsa_policy2 = 1.2.3.4.5.6<br>tsa_policy3 = 1.2.3.4.5.7<br>[ ca ]<br>default_ca        = CA_default            # The default ca section<br>[ CA_default ]<br>dir           = ./demoCA              # Where everything is kept<br>certs               = $dir/certs            # Where the issued certs are kept<br>crl_dir              = $dir/crl              # Where the issued crl are kept<br>database       = $dir/index.txt        # database index file.<br>                                        # several certs with same subject.<br>new_certs_dir       = $dir/newcerts         # default place for new certs.<br>certificate     = $dir/cacert.pem       # The CA certificate<br>serial            = $dir/serial           # The current serial number<br>crlnumber  = $dir/crlnumber        # the current crl number<br>                                      # must be commented out to leave a V1 CRL<br>crl          = $dir/crl.pem          # The current CRL<br>private_key  = $dir/private/cakey.pem# The private key<br>x509_extensions      = usr_cert              # The extensions to add to the cert<br>name_opt   = ca_default            # Subject Name options<br>cert_opt        = ca_default            # Certificate field options<br>default_days       = 365                   # how long to certify for<br>default_crl_days= 30                 # how long before next CRL<br>default_md  = default               # use public key default MD<br>preserve   = no                    # keep passed DN ordering<br>policy               = policy_match<br>[ policy_match ]<br>countryName           = match<br>stateOrProvinceName    = match<br>organizationName       = match<br>organizationalUnitName = optional<br>commonName          = supplied<br>emailAddress                = optional<br>[ policy_anything ]<br>countryName            = optional<br>stateOrProvinceName = optional<br>localityName                = optional<br>organizationName    = optional<br>organizationalUnitName      = optional<br>commonName          = supplied<br>emailAddress                = optional<br>[ req ]<br>default_bits               = 2048<br>default_keyfile         = privkey.pem<br>distinguished_name       = req_distinguished_name<br>attributes            = req_attributes<br>x509_extensions       = v3_ca # The extensions to add to the self signed cert<br>string_mask = utf8only<br>[ req_distinguished_name ]<br>countryName                        = Country Name (2 letter code)<br>countryName_default             = AU<br>countryName_min                   = 2<br>countryName_max                    = 2<br>stateOrProvinceName                = State or Province Name (full name)<br>stateOrProvinceName_default       = Some-State<br>localityName                      = Locality Name (eg, city)<br>0.organizationName          = Organization Name (eg, company)<br>0.organizationName_default   = Internet Widgits Pty Ltd<br>organizationalUnitName              = Organizational Unit Name (eg, section)<br>commonName                    = Common Name (e.g. server FQDN or YOUR name)<br>commonName_max                   = 64<br>emailAddress                      = Email Address<br>emailAddress_max               = 64<br>[ req_attributes ]<br>challengePassword             = A challenge password<br>challengePassword_min           = 4<br>challengePassword_max              = 20<br>unstructuredName          = An optional company name<br>[ usr_cert ]<br>basicConstraints=CA:FALSE<br>nsComment                  = "OpenSSL Generated Certificate"<br>subjectKeyIdentifier=hash<br>authorityKeyIdentifier=keyid,issuer<br>[ v3_req ]<br>basicConstraints = CA:FALSE<br>keyUsage = nonRepudiation, digitalSignature, keyEncipherment<br>[ v3_ca ]<br>subjectKeyIdentifier=hash<br>authorityKeyIdentifier=keyid:always,issuer<br>basicConstraints = critical,CA:true<br>[ crl_ext ]<br>authorityKeyIdentifier=keyid:always<br>[ proxy_cert_ext ]<br>basicConstraints=CA:FALSE<br>nsComment                   = "OpenSSL Generated Certificate"<br>subjectKeyIdentifier=hash<br>authorityKeyIdentifier=keyid,issuer<br>proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo<br>[ tsa ]<br>default_tsa = tsa_config1        # the default TSA section<br>[ tsa_config1 ]<br>dir         = ./demoCA              # TSA root directory<br>serial            = $dir/tsaserial        # The current serial number (mandatory)<br>crypto_device  = builtin               # OpenSSL engine to use for signing<br>signer_cert        = $dir/tsacert.pem      # The TSA signing certificate<br>                                 # (optional)<br>certs             = $dir/cacert.pem       # Certificate chain to include in reply<br>                                       # (optional)<br>signer_key        = $dir/private/tsakey.pem # The TSA private key (optional)<br>signer_digest  = sha256                    # Signing digest to use. (Optional)<br>default_policy     = tsa_policy1           # Policy if request did not specify it<br>                                        # (optional)<br>other_policies    = tsa_policy2, tsa_policy3      # acceptable policies (optional)<br>digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)<br>accuracy     = secs:1, millisecs:500, microsecs:100  # (optional)<br>clock_precision_digits  = 0      # number of digits after dot. (optional)<br>ordering              = yes   # Is ordering defined for timestamps?<br>                         # (optional, default: no)<br>tsa_name             = yes   # Must the TSA name be included in the reply?<br>                         # (optional, default: no)<br>ess_cert_id_chain    = no    # Must the ESS cert id chain be included?<br>                             # (optional, default: no)<br>ess_cert_id_alg              = sha1  # algorithm to compute certificate<br>                            # identifier (optional, default: sha1)<br>[default_conf]<br>ssl_conf = ssl_sect<br>[ssl_sect]<br>system_default = system_default_sect<br>[system_default_sect]<br>MinProtocol = TLSv1.2<br>CipherString = DEFAULT:@SECLEVEL=2<br><br><br>-- no debconf information<br></div></div>