[Pkg-openssl-devel] Bug#781081: Openssl updates introduces backward incompatibilities - breaks voms

[Mattias Ellert]

Package: libssl1.0.0
Version: 1.0.1k-2, 1.0.1e-2+deb7u15
Severity: important

After updating to the latest openssl versions in Debian, the voms client
tools no longer work.

With the current openssl 1.0.1k-1:

ellert at debian-unstable:~$ voms-proxy-init2 --voms atlas
Enter GRID pass phrase:
Your identity: /DC=org/DC=terena/DC=tcs/C=SE/O=Uppsala University/CN=Mattias Ellert mel03009 at user.uu.se
Creating temporary proxy ....................................................................... Done
Contacting  lcg-voms2.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch] "atlas" Done
Creating proxy .............................................................................................................. Done

Your proxy is valid until Tue Mar 24 22:01:16 2015
Error: verify failed.
AC not present in credentials.

ellert at debian-unstable:~$ voms-proxy-info2 --all
WARNING: Unable to verify signature! Server certificate possibly not installed.
Error: AC not present in credentials.
subject   : /DC=org/DC=terena/DC=tcs/C=SE/O=Uppsala University/CN=Mattias Ellert mel03009 at user.uu.se/CN=proxy
issuer    : /DC=org/DC=terena/DC=tcs/C=SE/O=Uppsala University/CN=Mattias Ellert mel03009 at user.uu.se
identity  : /DC=org/DC=terena/DC=tcs/C=SE/O=Uppsala University/CN=Mattias Ellert mel03009 at user.uu.se
type      : proxy
strength  : 1024 bits
path      : /tmp/x509up_u1000
timeleft  : 11:59:53
key usage : Digital Signature, Key Encipherment


With the previous openssl 1.0.1k-1:

ellert at debian-unstable:~$ LD_LIBRARY_PATH=/home/ellert/openssl-1.0.1k-1/usr/lib/x86_64-linux-gnu voms-proxy-init2 --voms atlas
Enter GRID pass phrase:
Your identity: /DC=org/DC=terena/DC=tcs/C=SE/O=Uppsala University/CN=Mattias Ellert mel03009 at user.uu.se
Creating temporary proxy ............................................................. Done
Contacting  voms2.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch] "atlas" Done
Creating proxy .......................................................................................................... Done

Your proxy is valid until Tue Mar 24 22:01:51 2015

ellert at debian-unstable:~$ LD_LIBRARY_PATH=/home/ellert/openssl-1.0.1k-1/usr/lib/x86_64-linux-gnu voms-proxy-info2 --all
subject   : /DC=org/DC=terena/DC=tcs/C=SE/O=Uppsala University/CN=Mattias Ellert mel03009 at user.uu.se/CN=proxy
issuer    : /DC=org/DC=terena/DC=tcs/C=SE/O=Uppsala University/CN=Mattias Ellert mel03009 at user.uu.se
identity  : /DC=org/DC=terena/DC=tcs/C=SE/O=Uppsala University/CN=Mattias Ellert mel03009 at user.uu.se
type      : proxy
strength  : 1024 bits
path      : /tmp/x509up_u1000
timeleft  : 11:59:50
key usage : Digital Signature, Key Encipherment
=== VO atlas extension information ===
VO        : atlas
subject   : /DC=org/DC=terena/DC=tcs/C=SE/O=Uppsala University/CN=Mattias Ellert mel03009 at user.uu.se
issuer    : /DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
attribute : /atlas/Role=NULL/Capability=NULL
attribute : /atlas/lcg1/Role=NULL/Capability=NULL
attribute : /atlas/se/Role=NULL/Capability=NULL
attribute : nickname = ellert (atlas)
timeleft  : 11:59:51
uri       : voms2.cern.ch:15001

Investigations have shown that the problem is introduced by the patch
0003-Free-up-passed-ASN.1-structure-if-reused.patch that was added in
the latest openssl updates 1.0.1k-2 and 1.0.1e-2+deb7u15:

https://sources.debian.net/src/openssl/1.0.1k-2/debian/patches/0003-Free-up-passed-ASN.1-structure-if-reused.patch/
https://sources.debian.net/src/openssl/1.0.1e-2%2Bdeb7u15/debian/patches/0003-Free-up-passed-ASN.1-structure-if-reused.patch/

	Mattias Ellert

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20150324/a33b6851/attachment.sig>