[Pkg-openssl-devel] Bug#926315: Bug#926315: openssl: wget https://google.com fails in d-i

Wed Apr 3 22:57:12 BST 2019

On Wed, Apr 03, 2019 at 11:23:19PM +0200, Cyril Brulebois wrote:
>     1726  write(2, "Disabling SSL due to encountered errors.\n", 41) = 41

Looking at the source, about the only reason I can see to get that
is that SSL_CTX_new() failed.

If I understand correctly, it's actually a change in libcrypto
between 1.1.1a and 1.1.1b?

The most likely commit to change behaviour seems to be:
commit 25eb9299cec4404a4cdf3167056bd147af2582f3
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Tue Jan 1 02:53:24 2019 -0500

    More configurable crypto and ssl library initialization

    1.  In addition to overriding the default application name,
        one can now also override the configuration file name
        and flags passed to CONF_modules_load_file().

    2.  By default we still keep going when configuration file
        processing fails.  But, applications that want to be
        strict about initialization errors can now make explicit
        flag choices via non-null OPENSSL_INIT_SETTINGS that omit
        the CONF_MFLAGS_IGNORE_RETURN_CODES flag (which had so far
        been both undocumented and unused).

    3.  In OPENSSL_init_ssl() do not request OPENSSL_INIT_LOAD_CONFIG
        if the options already include OPENSSL_INIT_NO_LOAD_CONFIG.

    4.  Don't set up atexit() handlers when called with opts equal to
        OPENSSL_INIT_BASE_ONLY (this flag should only be used alone).

    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/7969)

But the commit message at least indicates that it should just continue.

wget in buster actually seems to be linked to gnutls, and trying
other applications just seem to work without config file.

Kurt