[Pkg-openssl-devel] OpenSSL 1.1.0

Kurt Roeckx kurt at roeckx.be
Fri Nov 11 14:15:09 UTC 2016


On Fri, Nov 11, 2016 at 01:23:31PM +0100, Jan Niehusmann wrote:
> Hi,
> 
> But who knows which other packages are silently broken the same way?

At least something like that also came up with xmltooling.
It's probably caused by this:
curl_easy_setopt(easy, CURLOPT_SSL_CTX_FUNCTION, &sslCtxFunction_cb);

You get an SSL_CTX from OpenSSL 1.1 and you call an OpenSSL 1.0
function with that handle. And libcurl really shouldn't have been
exposing such functions directly. If something like that is
really needed libcurl should have made a proper wrapper.

PS: Is there a reason zurl implements it's own hostname validation
checking an doesn't just use libcurls?


Kurt




More information about the Pkg-openssl-devel mailing list