[Pkg-openssl-devel] Planning the removal of c_rehash | mass bug filling

Michael Shuler michael at pbandjelly.org
Fri Apr 6 16:05:35 BST 2018


On 04/05/2018 05:22 PM, Sebastian Andrzej Siewior wrote:
> Hi,
> 
> the openssl package provides the c_rehash script which creates the links
> from XXXXXXXX.Y to the actual certificate in /etc/ssl/certs/. During the
> transition from 0.9.8 to 1.0.0 the hash (for the X part) changed from
> md5 to sha1. Since that transition in Debian the c_rehash script
> provides both symlinks: the old hash (md5) and the new (sha1) one. 
> 
> The c_rehash script is considered by upstream as a fallback script and
> will disappear at some point. The recommended way is to use the "openssl
> rehash" command instead which appeared in 1.1.0.  This command creates
> half that many symlinks (one per certificate instead of two) because it
> uses only the sha1 hash. There is also the -compat option which creates
> both symlinks (and behaves like c_rehash currently does) but as
> explained above it should not be required to use it.
> 
> I am planning to fill bugs against 23 packages which use "c_rehash" to
> use "openssl rehash" instead. Here is the dd-list of packages I
> identified:
<...>
> Michael Shuler <michael at pbandjelly.org>
>    ca-certificates

Thanks for the heads up!

If you could go ahead and file this bug for ca-certificates, I'd like to
include the bug number in the changelog for this commit on the next
upload, which should be soon.

https://salsa.debian.org/debian/ca-certificates/commit/1bc87e0b41a04551a93d4e784e158b044c18792a

-- 
Kind regards,
Michael




More information about the Pkg-openssl-devel mailing list