[Pkg-openssl-devel] Bug#611102: openssl: backwards-incompatible changes in c_rehash

Jakub Wilk jwilk at debian.org
Tue Jan 25 15:17:44 UTC 2011


Package: openssl
Version: 1.0.0c-2
Severity: important

 From x509(1ssl) manpage:

| The hash algorithm used in the -subject_hash and -issuer_hash options before
| OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding of the
| distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical
| version of the DN using SHA1. This means that any directories using the old
| form must have their links rebuilt using c_rehash or similar.

Unfortunately that also means that if c_rehash is run on /etc/ssl/certs/ 
(e.g. by ca-certificates postinst), packages using GnuTLS or older 
OpenSSL won't be able to find certificates anymore.

Here's a proposed patch:
http://rt.openssl.org/Ticket/Display.html?id=2272&user=guest&pass=guest
(Though IMO compatibility symlinks should be created unconditionally.)

-- 
Jakub Wilk





More information about the Pkg-openssl-devel mailing list