[Pkg-openssl-devel] Bug#1110055: libssl3t64: Upgrade of libssl3t64 breaks strongswan
Marc Clemente
marc at mclemente.net
Mon Jul 28 23:30:00 BST 2025
Package: libssl3t64
Version: 3.5.1-1
Severity: normal
X-Debbugs-Cc: marc at mclemente.net
Upgrading libssl3t64 from 3.5.0-2 to 3.5.1-1 breaks strongswan (6.0.1-6). This is reproduced on armel and armhf architectures. I was unable to reproduce it on amd64.
root at raspberry:~# dpkg -l | grep libssl3t64
ii libssl3t64:armhf 3.5.1-1 armhf Secure Sockets Layer toolkit - shared libraries
root at raspberry:~# swanctl -i -c chronos
plugin 'test-vectors': failed to load - test_vectors_plugin_create not found and no plugin file available
plugin 'ldap': failed to load - ldap_plugin_create not found and no plugin file available
plugin 'pkcs11': failed to load - pkcs11_plugin_create not found and no plugin file available
plugin 'aes': failed to load - aes_plugin_create not found and no plugin file available
plugin 'rc2': failed to load - rc2_plugin_create not found and no plugin file available
plugin 'sha2': failed to load - sha2_plugin_create not found and no plugin file available
plugin 'sha1': failed to load - sha1_plugin_create not found and no plugin file available
plugin 'md5': failed to load - md5_plugin_create not found and no plugin file available
plugin 'mgf1': failed to load - mgf1_plugin_create not found and no plugin file available
plugin 'pkcs12': failed to load - pkcs12_plugin_create not found and no plugin file available
plugin 'pgp': failed to load - pgp_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
plugin 'gcrypt': failed to load - gcrypt_plugin_create not found and no plugin file available
plugin 'af-alg': failed to load - af_alg_plugin_create not found and no plugin file available
plugin 'fips-prf': failed to load - fips_prf_plugin_create not found and no plugin file available
plugin 'gmp': failed to load - gmp_plugin_create not found and no plugin file available
plugin 'curve25519': failed to load - curve25519_plugin_create not found and no plugin file available
plugin 'agent': failed to load - agent_plugin_create not found and no plugin file available
plugin 'chapoly': failed to load - chapoly_plugin_create not found and no plugin file available
plugin 'xcbc': failed to load - xcbc_plugin_create not found and no plugin file available
plugin 'cmac': failed to load - cmac_plugin_create not found and no plugin file available
plugin 'hmac': failed to load - hmac_plugin_create not found and no plugin file available
plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available
plugin 'ctr': failed to load - ctr_plugin_create not found and no plugin file available
plugin 'ccm': failed to load - ccm_plugin_create not found and no plugin file available
plugin 'gcm': failed to load - gcm_plugin_create not found and no plugin file available
plugin 'curl': failed to load - curl_plugin_create not found and no plugin file available
[IKE] initiating IKE_SA chronos[1] to 104.181.48.182
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 172.16.10.80[500] to 104.181.48.182[500] (924 bytes)
[NET] received packet: from 104.181.48.182[500] to 172.16.10.80[500] (280 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
[IKE] local host is behind NAT, sending keep alives
[IKE] KDF_PRF with PRF_HMAC_SHA2_256 not supported
[IKE] key derivation failed
initiate failed: establishing CHILD_SA 'chronos' failed
root at raspberry:~# apt install ./libssl3t64_3.5.0-2_armhf.deb
Note, selecting 'libssl3t64' instead of './libssl3t64_3.5.0-2_armhf.deb'
DOWNGRADING:
libssl3t64
Summary:
Upgrading: 0, Installing: 0, Downgrading: 1, Removing: 0, Not Upgrading: 0
Download size: 0 B / 1980 kB
Space needed: 0 B / 112 GB available
Continue? [Y/n]
Get:1 /root/libssl3t64_3.5.0-2_armhf.deb libssl3t64 armhf 3.5.0-2 [1980 kB]
dpkg: warning: downgrading libssl3t64:armhf (3.5.1-1) to (3.5.0-2)
(Reading database ... 35763 files and directories currently installed.)
Preparing to unpack .../libssl3t64_3.5.0-2_armhf.deb ...
Unpacking libssl3t64:armhf (3.5.0-2) over (3.5.1-1) ...
Setting up libssl3t64:armhf (3.5.0-2) ...
Processing triggers for libc-bin (2.41-11) ...
Notice: Download is performed unsandboxed as root as file '/root/libssl3t64_3.5.0-2_armhf.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
root at raspberry:~# systemctl restart strongswan.service
root at raspberry:~# swanctl -i -c chronos
plugin 'test-vectors': failed to load - test_vectors_plugin_create not found and no plugin file available
plugin 'ldap': failed to load - ldap_plugin_create not found and no plugin file available
plugin 'pkcs11': failed to load - pkcs11_plugin_create not found and no plugin file available
plugin 'aes': failed to load - aes_plugin_create not found and no plugin file available
plugin 'rc2': failed to load - rc2_plugin_create not found and no plugin file available
plugin 'sha2': failed to load - sha2_plugin_create not found and no plugin file available
plugin 'sha1': failed to load - sha1_plugin_create not found and no plugin file available
plugin 'md5': failed to load - md5_plugin_create not found and no plugin file available
plugin 'mgf1': failed to load - mgf1_plugin_create not found and no plugin file available
plugin 'pkcs12': failed to load - pkcs12_plugin_create not found and no plugin file available
plugin 'pgp': failed to load - pgp_plugin_create not found and no plugin file available
plugin 'sshkey': failed to load - sshkey_plugin_create not found and no plugin file available
plugin 'gcrypt': failed to load - gcrypt_plugin_create not found and no plugin file available
plugin 'af-alg': failed to load - af_alg_plugin_create not found and no plugin file available
plugin 'fips-prf': failed to load - fips_prf_plugin_create not found and no plugin file available
plugin 'gmp': failed to load - gmp_plugin_create not found and no plugin file available
plugin 'curve25519': failed to load - curve25519_plugin_create not found and no plugin file available
plugin 'agent': failed to load - agent_plugin_create not found and no plugin file available
plugin 'chapoly': failed to load - chapoly_plugin_create not found and no plugin file available
plugin 'xcbc': failed to load - xcbc_plugin_create not found and no plugin file available
plugin 'cmac': failed to load - cmac_plugin_create not found and no plugin file available
plugin 'hmac': failed to load - hmac_plugin_create not found and no plugin file available
plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available
plugin 'ctr': failed to load - ctr_plugin_create not found and no plugin file available
plugin 'ccm': failed to load - ccm_plugin_create not found and no plugin file available
plugin 'gcm': failed to load - gcm_plugin_create not found and no plugin file available
plugin 'curl': failed to load - curl_plugin_create not found and no plugin file available
[IKE] initiating IKE_SA chronos[1] to 104.181.48.182
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 172.16.10.80[500] to 104.181.48.182[500] (924 bytes)
[NET] received packet: from 104.181.48.182[500] to 172.16.10.80[500] (280 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
[IKE] local host is behind NAT, sending keep alives
[IKE] authentication of 'raspberry.mclemente.net' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
[IKE] establishing CHILD_SA chronos{1}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 172.16.10.80[4500] to 104.181.48.182[4500] (928 bytes)
[NET] received packet: from 104.181.48.182[4500] to 172.16.10.80[4500] (848 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
[CFG] using trusted certificate "chronos.mclemente.net"
[IKE] authentication of 'chronos.mclemente.net' with RSA_EMSA_PKCS1_SHA2_384 successful
[IKE] peer supports MOBIKE
[IKE] IKE_SA chronos[1] established between 172.16.10.80[raspberry.mclemente.net]...104.181.48.182[chronos.mclemente.net]
[IKE] scheduling rekeying in 13953s
[IKE] maximum IKE_SA lifetime 15393s
[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
[IKE] CHILD_SA chronos{1} established with SPIs cabe9d66_i c42509fb_o and TS 192.168.16.250/32 === 192.168.17.0/24
initiate completed successfully
-- System Information:
Debian Release: 13.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: armhf (armv7l)
Kernel: Linux 6.12.38+deb13-armmp (SMP w/4 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libssl3t64 depends on:
ii libc6 2.41-11
ii libzstd1 1.5.7+dfsg-1
ii openssl-provider-legacy 3.5.1-1
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1
libssl3t64 recommends no packages.
libssl3t64 suggests no packages.
-- no debconf information
More information about the Pkg-openssl-devel
mailing list