[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#855331: release-notes: add a little something about openssl

Package: release-notes
Severity: normal
Tags: patch

The patch attached contains information about changes in the openssl /
libssl package. I added four items, each one of them was reported
atleast once as a bug.
The "openssl enc" situation was responsible for at least four bug
reports and one reported suggested / asked if this is not release-notes.
So here I am.  While writting this down I was looking what else we had
and made a little list. Please look at this and decide if this is worth
for release-notes or not.
The 3DES / RC4 limitation led to a few reports as well. There are either
people using XP or services which offer only 3DES and RC4 (#853730).

Index: en/issues.dbk
--- en/issues.dbk	(revision 11362)
+++ en/issues.dbk	(working copy)
@@ -535,6 +535,43 @@
       dh_strip manpage for more information</ulink>
+  <section id="openssl-issues">
+    <title>OpenSSL related changes</title>
+    <para>
+      The <command>openssl</command> application expects option arguments before
+      non-option arguments. For example, this does not work anymore:
+openssl dsaparam 2048 -out file
+      while this still does:
+openssl dsaparam -out file 2048
+    </para>
+    <para>
+      The <command>openssl enc</command> command changed the default digest
+      (used to create the key from passphrase) from MD5 to SHA256. The digest can
+      be specified with the <command>-md</command> option in case old files need
+      to be decrypted with newer openssl (or the other way around).
+    </para>
+    <para>
+      The 3DES and RC4 ciphers are no longer available for TLS/SSL communication.
+      Servers linked against openssl can't offer them and clients can't connect
+      to servers which offer only those. This means that openssl and Windows XP
+      share no common cipher.
+    </para>
+    <para>
+      The package <systemitem role="package">libssl-dev</systemitem> provides
+      header files to compile against openssl 1.1.0. The API changed a lot and
+      it is possible that the software won't compile anymore. There is an
+      <ulink url="https://wiki.openssl.org/index.php/1.1_API_Changes";>overview of
+      the changes</ulink>. If you can't update your software, there is also
+      <systemitem role="package">libssl1.0-dev</systemitem> which provides headers
+      against openssl 1.0.2.
+    </para>
+  </section>

Reply to: