Bug#855331: release-notes: add a little something about openssl
Package: release-notes
Severity: normal
Tags: patch
The patch attached contains information about changes in the openssl /
libssl package. I added four items, each one of them was reported
atleast once as a bug.
The "openssl enc" situation was responsible for at least four bug
reports and one reported suggested / asked if this is not release-notes.
So here I am. While writting this down I was looking what else we had
and made a little list. Please look at this and decide if this is worth
for release-notes or not.
The 3DES / RC4 limitation led to a few reports as well. There are either
people using XP or services which offer only 3DES and RC4 (#853730).
Sebastian
Index: en/issues.dbk
===================================================================
--- en/issues.dbk (revision 11362)
+++ en/issues.dbk (working copy)
@@ -535,6 +535,43 @@
dh_strip manpage for more information</ulink>
</para>
</section>
+
+ <section id="openssl-issues">
+ <title>OpenSSL related changes</title>
+ <para>
+ The <command>openssl</command> application expects option arguments before
+ non-option arguments. For example, this does not work anymore:
+<screen>
+openssl dsaparam 2048 -out file
+</screen>
+ while this still does:
+<screen>
+openssl dsaparam -out file 2048
+</screen>
+ </para>
+ <para>
+ The <command>openssl enc</command> command changed the default digest
+ (used to create the key from passphrase) from MD5 to SHA256. The digest can
+ be specified with the <command>-md</command> option in case old files need
+ to be decrypted with newer openssl (or the other way around).
+ </para>
+ <para>
+ The 3DES and RC4 ciphers are no longer available for TLS/SSL communication.
+ Servers linked against openssl can't offer them and clients can't connect
+ to servers which offer only those. This means that openssl and Windows XP
+ share no common cipher.
+ </para>
+ <para>
+ The package <systemitem role="package">libssl-dev</systemitem> provides
+ header files to compile against openssl 1.1.0. The API changed a lot and
+ it is possible that the software won't compile anymore. There is an
+ <ulink url="https://wiki.openssl.org/index.php/1.1_API_Changes">overview of
+ the changes</ulink>. If you can't update your software, there is also
+ <systemitem role="package">libssl1.0-dev</systemitem> which provides headers
+ against openssl 1.0.2.
+ </para>
+ </section>
+
</section>
</chapter>
Reply to: