[Pkg-openssl-devel] Bug#926315: openssl: wget https://google.com fails in d-i

Dimitri John Ledkov xnox at ubuntu.com
Fri Apr 5 15:32:45 BST 2019


On Wed, 3 Apr 2019 at 22:57, Kurt Roeckx <kurt at roeckx.be> wrote:
>
> On Wed, Apr 03, 2019 at 11:23:19PM +0200, Cyril Brulebois wrote:
> >     1726  write(2, "Disabling SSL due to encountered errors.\n", 41) = 41
>
> Looking at the source, about the only reason I can see to get that
> is that SSL_CTX_new() failed.
>
> But the commit message at least indicates that it should just continue.
>
> wget in buster actually seems to be linked to gnutls, and trying
> other applications just seem to work without config file.
>

Using the CTX api is optional, so i expect other apps would fail too
if one forces them to use CTX apis (e.g. like client cert auth) but
it's unlikely to be done in d-i / udeb.

I do think cherrypicking the patch kurt identified should be done.

But I also think that openssl.cnf should be shipped in libssl1.1-udeb
(either in /usr directly - see my patch, or symlink in /usr and a real
file in /etc like in openssl.deb) because Debian's default openssl.cnf
raises the minimum required protocol / tls security level higher than
what are compiled into libssl1.1-udeb without a config file. As
otherwise the person who discovers that d-i can talk to an https
server, but in-target debian cannot will be rightfully confused.
Unless we decide that we don't care, as this is quite a niche corner
case.

-- 
Regards,

Dimitri.



More information about the Pkg-openssl-devel mailing list