Re: [Pkg-openssl-devel] Bug#926315: openssl: wget https://google.com fails in d-i
On Wed, 3 Apr 2019 at 22:57, Kurt Roeckx <kurt@roeckx.be> wrote:
>
> On Wed, Apr 03, 2019 at 11:23:19PM +0200, Cyril Brulebois wrote:
> > 1726 write(2, "Disabling SSL due to encountered errors.\n", 41) = 41
>
> Looking at the source, about the only reason I can see to get that
> is that SSL_CTX_new() failed.
>
> But the commit message at least indicates that it should just continue.
>
> wget in buster actually seems to be linked to gnutls, and trying
> other applications just seem to work without config file.
>
Using the CTX api is optional, so i expect other apps would fail too
if one forces them to use CTX apis (e.g. like client cert auth) but
it's unlikely to be done in d-i / udeb.
I do think cherrypicking the patch kurt identified should be done.
But I also think that openssl.cnf should be shipped in libssl1.1-udeb
(either in /usr directly - see my patch, or symlink in /usr and a real
file in /etc like in openssl.deb) because Debian's default openssl.cnf
raises the minimum required protocol / tls security level higher than
what are compiled into libssl1.1-udeb without a config file. As
otherwise the person who discovers that d-i can talk to an https
server, but in-target debian cannot will be rightfully confused.
Unless we decide that we don't care, as this is quite a niche corner
case.
--
Regards,
Dimitri.
Reply to: