[Pkg-openssl-devel] Bug#804487: Bug#804487: openssl_1.0.2d-3 breaks mumble and mumble-server after binNMU

Kurt Roeckx kurt at roeckx.be
Mon Nov 9 17:34:00 UTC 2015


On Sun, Nov 08, 2015 at 10:26:42PM +0000, Chris Knadle wrote:
> Package: openssl
> Version: 1.0.2d-3
> Severity: serious
> 
> Greetings.
> 
> I'm marking this bug as 'serious' because the upgrade to 1.0.2d-3 seems to
> have broken mumble, though it's unclear why that would be.
> 
> After a binNMU with openssl_1.0.2d-3 mumble and mumble-server are unable to
> find the available list of SSL ciphers, and unusable -- mumble-server quits,
> and mumble cannot find the user's SSL certificate to connect to servers
> with.  mumble_1.2.10-2 compiled against libssl-dev 1.0.2d-1 worked okay.
> 
> A debdiff between openssl_1.0.2d-1 and openssl_1.0.2d-3 seems reasonable (to
> me)... "pulling at straws" I see some changes in version-script.patch, and
> in the debian/rules file I see three new CONFARGS: "no-ssl3-method
> enable-rfc3779 enable-cms" and I'm not sure what the latter two confargs do.
> 
> We're trying to figure out the problem with the mumble package in bug
> #804363.  Although the breakage may have been triggered by the openssl
> upgrade it looks like mumble and mumble-server both seem to be missing an
> `SSL_library_init()` call, so this issue isn't clear yet.

You really should call SSL_library_init() (or
OpenSSL_add_ssl_algorithms(), SSLeay_add_ssl_algorithms()) as
early as possible, clearly before calling other OpenSSL function,
see the manpage.

The "no-ssl3-method" really is the only change that applications
could have a problem with.  It just drops SSLv3_* methods that
doesn't affect mumble.  enable-cms is actually the default and din't
change anything.  enable-rfc3779 shouldn't break anything, but
maybe it does when you didn't initialyze the library?


Kurt



More information about the Pkg-openssl-devel mailing list