[Pkg-openssl-devel] Bug#611102: openssl: backwards-incompatible changes in c_rehash
Jakub Wilk
jwilk at debian.org
Sun Apr 3 01:19:43 UTC 2011
* Jakub Wilk <jwilk at debian.org>, 2011-01-25, 16:17:
>From x509(1ssl) manpage:
>
>| The hash algorithm used in the -subject_hash and -issuer_hash options before
>| OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding of the
>| distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical
>| version of the DN using SHA1. This means that any directories using the old
>| form must have their links rebuilt using c_rehash or similar.
>
>Unfortunately that also means that if c_rehash is run on
>/etc/ssl/certs/ (e.g. by ca-certificates postinst), packages using
>GnuTLS or older OpenSSL won't be able to find certificates anymore.
openSUSE has a patch to create compatibility symlinks:
https://build.opensuse.org/package/view_file?file=openssl-1.0.0-c_rehash-compat.diff&package=openssl&project=openSUSE%3A11.3%3AUpdate&srcmd5=feaa4a7bab52ebc7cdcab59a5f10e01e
--
Jakub Wilk
More information about the Pkg-openssl-devel
mailing list