[Pkg-openssl-devel] Bug#732972: New openssl breaks ssh

Klaus Ethgen Klaus at Ethgen.de
Mon Dec 23 11:58:33 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package: openssl
Version: 1.0.1e-5
Severity: critical

The newest openssl breaks ssh. Afterwards no login is possible anymore
to the system via ssh!

   OpenSSL version mismatch. Built against 1000105f, you have 10001060

- -- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (800, 'unstable'), (600, 'oldstable'), (110, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11.6 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to de_DE)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii  libc6        2.17-97
ii  libssl1.0.0  1.0.1e-5

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20130906

- -- Configuration Files:
/etc/ssl/openssl.cnf changed:
HOME			= .
RANDFILE		= $ENV::HOME/.rnd
oid_section		= new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca	= CA_default		# The default ca section
[ CA_default ]
dir		= ./demoCA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
					# several ctificates with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.
certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file
x509_extensions	= usr_cert		# The extentions to add to the cert
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options
default_days	= 1095			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha1			# use public key default MD
preserve	= no			# keep passed DN ordering
policy		= policy_match
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
[ req ]
default_bits		= 4096
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= CH
countryName_min			= 2
countryName_max			= 2
commonName			= Common Name (e.g. server FQDN or YOUR name)
commonName_max			= 64
emailAddress			= Email Address
emailAddress_max		= 64
emailAddress_default		= Klaus at Ethgen.de
[ req_attributes ]
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment			= "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment			= "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1	# the default TSA section
[ tsa_config1 ]
dir		= ./demoCA		# TSA root directory
serial		= $dir/tsaserial	# The current serial number (mandatory)
crypto_device	= builtin		# OpenSSL engine to use for signing
signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/cacert.pem	# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests		= md5, sha1		# Acceptable message digests (mandatory)
accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
clock_precision_digits  = 0	# number of digits after dot. (optional)
ordering		= yes	# Is ordering defined for timestamps?
				# (optional, default: no)
tsa_name		= yes	# Must the TSA name be included in the reply?
				# (optional, default: no)
ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
				# (optional, default: no)


- -- no debconf information

- -- 
Klaus Ethgen                              http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <Klaus at Ethgen.de>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQGcBAEBCgAGBQJSuCVmAAoJEKZ8CrGAGfasFw8MAMB49PRI6dZO771eV1nHQZ9n
9K0guI7K02VyQT9SI5BUJm5csLI6Sp83FCz09/sNarMpLN1vWsZjLAwOBaTmlbGs
hZvfEBqy6AZlztLhlfLwj7aoXigGJAOk4ipc3onTwp0FXgfBcP3jMRzuoytj4KqP
0eAqmqu9aSD9UPZblsrPTd+CbDtTrICpIlGx3K2cypGiPp0fdNOqcl42PChYvYoI
bEk45opFGXNOXomWAGPLSPjlJLbqGHYKzGQ+7kobYqpsPRC1PQ3DvRcX1J9n+8NC
2kYtwwaIR8gM0meDMqk2tVVsxl60zVhbpvF6B35ydxXlo3GcrVd2oJh4V4byqN08
CpNZn0SfMV9eJxVloIMNVRu30LqbQwVdbqjBpuk42h8DFfkzkDgswC+Yt/rOwikM
J28hM0/VdTlrt1UUZ3rpsDEqGZZyuEkpsd315FGS5G8glxGhTSk2dHqAI1edi5Ii
uLyayk60A4TiSCmJn/6DeqKEKY8JGZ3Xj2xkt4YqEA==
=t5jE
-----END PGP SIGNATURE-----

More information about the Pkg-openssl-devel mailing list