Re: OpenSSL 1.1.0

To: Jan Niehusmann <jan@gondor.com>
Cc: debian-devel@lists.debian.org, pkg-openssl-devel@lists.alioth.debian.org, ghedo@debian.org
Subject: Re: OpenSSL 1.1.0
From: Kurt Roeckx <kurt@roeckx.be>
Date: Fri, 11 Nov 2016 15:15:09 +0100
Message-id: <[🔎] 20161111141509.7533x6grj22hzwp2@roeckx.be>
In-reply-to: <[🔎] 20161111122330.GA20485@jannic.reliablesolutions.de>
References: <20161101221459.snocrbpqixykyzsk@roeckx.be> <[🔎] nvcdgb$7f6$1@blaine.gmane.org> <[🔎] 3690563.NbxgSnSBJZ@tonks> <[🔎] 20161102201512.edhcfr2phhgwo3kt@roeckx.be> <[🔎] 20161111122330.GA20485@jannic.reliablesolutions.de>

On Fri, Nov 11, 2016 at 01:23:31PM +0100, Jan Niehusmann wrote:
> Hi,
> 
> But who knows which other packages are silently broken the same way?

At least something like that also came up with xmltooling.
It's probably caused by this:
curl_easy_setopt(easy, CURLOPT_SSL_CTX_FUNCTION, &sslCtxFunction_cb);

You get an SSL_CTX from OpenSSL 1.1 and you call an OpenSSL 1.0
function with that handle. And libcurl really shouldn't have been
exposing such functions directly. If something like that is
really needed libcurl should have made a proper wrapper.

PS: Is there a reason zurl implements it's own hostname validation
checking an doesn't just use libcurls?

Kurt

Reply to:

Follow-Ups:
- Re: OpenSSL 1.1.0
  - From: Jan Niehusmann <jan@gondor.com>

References:
- Re: OpenSSL 1.1.0
  - From: Bernhard Schmidt <berni@debian.org>
- Re: OpenSSL 1.1.0
  - From: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
- Re: OpenSSL 1.1.0
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: OpenSSL 1.1.0
  - From: Jan Niehusmann <jan@gondor.com>

Prev by Date: Re: OpenSSL 1.1.0
Next by Date: Bug#843986: ITP: ruby-ya2yaml -- An UTF8 safe YAML dumper.
Previous by thread: Re: OpenSSL 1.1.0
Next by thread: Re: OpenSSL 1.1.0
Index(es):
- Date
- Thread