[Pkg-openssl-devel] Bug#611102: openssl: backwards-incompatible changes in c_rehash
Jakub Wilk
jwilk at debian.org
Tue Jan 25 15:17:44 UTC 2011
Package: openssl
Version: 1.0.0c-2
Severity: important
From x509(1ssl) manpage:
| The hash algorithm used in the -subject_hash and -issuer_hash options before
| OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding of the
| distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical
| version of the DN using SHA1. This means that any directories using the old
| form must have their links rebuilt using c_rehash or similar.
Unfortunately that also means that if c_rehash is run on /etc/ssl/certs/
(e.g. by ca-certificates postinst), packages using GnuTLS or older
OpenSSL won't be able to find certificates anymore.
Here's a proposed patch:
http://rt.openssl.org/Ticket/Display.html?id=2272&user=guest&pass=guest
(Though IMO compatibility symlinks should be created unconditionally.)
--
Jakub Wilk
More information about the Pkg-openssl-devel
mailing list