Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
On Sun, Mar 20, 2022 at 10:00:15PM +0100, Paul Gevers wrote:
> Dear Sebastian, Kurt,
>
> On 19-03-2022 12:33, Adam D Barratt wrote:
> > Upload details
> > ==============
> >
> > Package: openssl
> > Version: 1.1.1n-0+deb10u1
> >
> > Explanation: new upstream release
>
> We're seeing a regression in buster in the autopkgtest of gnutls28 with the
> new version of openssl on all tested architectures. Can you please have a
> look and advise? (bullseye doesn't seem to have the test anymore, hence it
> doesn't fail).
>
> https://ci.debian.net/data/autopkgtest/oldstable/amd64/g/gnutls28/20199677/log.gz
>
> Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> %COMPAT: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> *** Fatal error: A TLS fatal alert has been received.
> Failure: Failed
> *** Fatal error: A TLS fatal alert has been received.
> %NO_ETM: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> Failure: Failed
> *** Fatal error: A TLS fatal alert has been received.
> Failure: Failed
> FAIL [11]../../tests/suite/testcompat-main-openssl
>
> Which, according to me, is this check:
> https://sources.debian.org/src/gnutls28/3.6.7-4%2Bdeb10u7/tests/suite/testcompat-main-openssl/#L307
That test still seems to exist, but is just moved to a different file:
https://github.com/gnutls/gnutls/blob/master/tests/suite/testcompat-openssl-cli-common.sh#L255
My understanding is that gnutls now passes the correct list of signature
algorithms to use to OpenSSL's s_client to be able to do that test, and
that this is probably fixed by:
https://github.com/gnutls/gnutls/commit/23958322865a8a77c2f924f569484e5fd150a24b
(and https://github.com/gnutls/gnutls/commit/8259a1dc8503ad760c0887eb95278f9957a00667)
I'm trying to remember what was changed and why, but I can't
find/remember it.
Kurt
Reply to: