[Pkg-openssl-devel] Bug#804487: Bug#804487: openssl_1.0.2d-3 breaks mumble and mumble-server after binNMU

Chris Knadle Chris.Knadle at coredump.us
Mon Nov 9 19:58:30 UTC 2015 

Kurt Roeckx:
> On Sun, Nov 08, 2015 at 10:26:42PM +0000, Chris Knadle wrote:
>> Package: openssl
>> Version: 1.0.2d-3
>> Severity: serious
>>
>> Greetings.
>>
>> I'm marking this bug as 'serious' because the upgrade to 1.0.2d-3 seems to
>> have broken mumble, though it's unclear why that would be.
>>
>> After a binNMU with openssl_1.0.2d-3 mumble and mumble-server are unable to
>> find the available list of SSL ciphers, and unusable -- mumble-server quits,
>> and mumble cannot find the user's SSL certificate to connect to servers
>> with.  mumble_1.2.10-2 compiled against libssl-dev 1.0.2d-1 worked okay.
>>
>> A debdiff between openssl_1.0.2d-1 and openssl_1.0.2d-3 seems reasonable (to
>> me)... "pulling at straws" I see some changes in version-script.patch, and
>> in the debian/rules file I see three new CONFARGS: "no-ssl3-method
>> enable-rfc3779 enable-cms" and I'm not sure what the latter two confargs do.
>>
>> We're trying to figure out the problem with the mumble package in bug
>> #804363.  Although the breakage may have been triggered by the openssl
>> upgrade it looks like mumble and mumble-server both seem to be missing an
>> `SSL_library_init()` call, so this issue isn't clear yet.
> 
> You really should call SSL_library_init() (or
> OpenSSL_add_ssl_algorithms(), SSLeay_add_ssl_algorithms()) as
> early as possible, clearly before calling other OpenSSL function,
> see the manpage.

Everybody dealing with the mumble bug agrees that SSL should be initialized
before making SSL calls -- the reason I opened #804487 is to try to figure
out /what/ caused mumble_1.2.10-2+b1 to break, when mumble_1.2.10-2 works.
And I just tested -- mumble_1.2.10-2 works with openssl_1.0.2d-3.
snapshot.debian.org has the before-and-after binNMU here:

   http://snapshot.debian.org/package/mumble/1.2.10-2/

I'm looking at and comparing the build logs, and one of the things I see is
that the build pulled in both libssl1.0.0 and libssl1.0.2, where the prior
build only pulled in libssl1.0.0.  ldd shows that only libssl1.0.2 is linked
in the resulting 'mumble' binary.  That doesn't sound right.

Mainly I was looking at this because upstream mentioned that previously Qt4
handled the SSL initialization, so I was looking at the qt -dev packages to
see if the versions had changed between the builds -- which they didn't.

> The "no-ssl3-method" really is the only change that applications
> could have a problem with.  It just drops SSLv3_* methods that
> doesn't affect mumble.  enable-cms is actually the default and din't
> change anything.  enable-rfc3779 shouldn't break anything, but
> maybe it does when you didn't initialyze the library?

I suppose this is testable -- I could make a custom openssl package with and
without these options, put that in a local repo used by sbuild, and rebuild
mumble, install it, and test it repeatedly.  Sounds tedious but might be
worth doing -- if I try it I'll let you know the results.

  -- Chris

-- 
Chris Knadle
Chris.Knadle at coredump.us

More information about the Pkg-openssl-devel mailing list