Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance

To: 959469-quiet@bugs.debian.org
Cc: Kurt Roeckx <kurt@roeckx.be>, Paul Gevers <elbrus@debian.org>, 959469@bugs.debian.org, 959469-submitter@bugs.debian.org, pkg-gnutls-maint@lists.alioth.debian.org, Andreas Metzler <ametzler@debian.org>
Subject: Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Mon, 21 Mar 2022 14:59:00 +0100
Message-id: <YjiEpNywh/WHgQKN@breakpoint.cc>
Reply-to: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, 959469@bugs.debian.org
In-reply-to: <[🔎] Yje0yxU2d0pcRBZ4@breakpoint.cc>
References: <20200502163642.v4nhomgfa3oen7qp@flow> <[🔎] E1nVXKY-0004FQ-Ty@coccia.debian.org> <[🔎] c00800fe-006c-a651-288c-15bd0bf84d86@debian.org> <20200502163642.v4nhomgfa3oen7qp@flow> <[🔎] YjennU2xkaWuyVfW@roeckx.be> <20200502163642.v4nhomgfa3oen7qp@flow> <[🔎] Yje0yxU2d0pcRBZ4@breakpoint.cc> <20200502163642.v4nhomgfa3oen7qp@flow>

On 2022-03-21 00:12:11 [+0100], To Kurt Roeckx wrote:
> doesn't help here but
> 	 -cipher "ALL:@SECLEVEL=1"
> 
> does. 

Only debci is affected. The package builds because this testsuite is not
part of the build process.
I prepared a NMU against Buster for gnutls. I can open later today a
buster-pu and do the upload unless someone objects or gnutls folks have
something in their queue.
Please let me know.

> > Kurt

Sebastian

diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog	2021-05-14 13:33:38.000000000 +0200
+++ gnutls28-3.6.7/debian/changelog	2022-03-21 14:52:01.000000000 +0100
@@ -1,3 +1,11 @@
+gnutls28 (3.6.7-4+deb10u7.1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport testcompat-openssl-improve-testing-against-secured-O.patch to
+    pass testsuite with openssl 1.1.1e.
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 21 Mar 2022 14:52:01 +0100
+
 gnutls28 (3.6.7-4+deb10u7) buster; urgency=medium
 
   * 46_handshake-reject-no_renegotiation-alert-if-handshake.patch pulled from
diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series
--- gnutls28-3.6.7/debian/patches/series	2021-05-11 18:13:03.000000000 +0200
+++ gnutls28-3.6.7/debian/patches/series	2022-03-21 08:35:24.000000000 +0100
@@ -23,3 +23,4 @@
 47_rel3.6.16_04-pre_shared_key-avoid-use-after-free-around-realloc.patch
 47_rel3.6.16_05-_gnutls_buffer_resize-account-for-unused-area-if-AGG.patch
 47_rel3.6.16_06-str-suppress-Wunused-function-if-AGGRESSIVE_REALLOC-.patch
+testcompat-openssl-improve-testing-against-secured-O.patch
diff -Nru gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch
--- gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch	2022-03-21 08:37:07.000000000 +0100
@@ -0,0 +1,274 @@
+From: Dimitri John Ledkov <xnox@ubuntu.com>
+Date: Mon, 21 Mar 2022 07:44:25 +0100
+Subject: [PATCH] testcompat-openssl: improve testing against secured OpenSSL
+
+[bigeasy: This is backport of commit fbd3e261513d641dce6bd1b2c368ce25e79dc094 ]
+
+In Debian, and soon Ubuntu, OpenSSL is compiled with SECLEVEL=2 and
+requiring minimum TLSv1.2. However, smaller hashes/keys/versions are
+allowed if one enables SECLEVEL=1. Do so when testing pre v1.2 algos,
+and thus enabling testing more compatability combinations.
+
+Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ tests/suite/testcompat-main-openssl | 67 +++++++++++++----------------
+ 1 file changed, 30 insertions(+), 37 deletions(-)
+
+diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl
+index d2708bfa8c710..2ea762faebaca 100755
+--- a/tests/suite/testcompat-main-openssl
++++ b/tests/suite/testcompat-main-openssl
+@@ -74,7 +74,6 @@ NO_TLS1_2=$?
+ 
+ test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2"
+ 
+-
+ ${SERV} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1
+ if test $? = 0;then
+ 	NO_DH_PARAMS=0
+@@ -82,18 +81,8 @@ else
+ 	NO_DH_PARAMS=1
+ fi
+ 
+-# Do not use DSS or curves <=256 bits in 1.1.1+ because these
+-# are not accepted by openssl on debian.
+-${SERV} version|grep -e '[1-9]\.[1-9]\.[1-9]' >/dev/null 2>&1
+-if test $? = 0;then
+-	NO_DSS=1
+-	FIPS_CURVES=1
+-else
+-	${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1
+-	NO_DSS=$?
+-fi
+-
+-test $FIPS_CURVES = 1 && echo "Running with FIPS140-2 enabled curves enabled"
++${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1
++NO_DSS=$?
+ 
+ if test $NO_DSS != 0;then
+ 	echo "Disabling interop tests for DSS ciphersuites"
+@@ -121,6 +110,10 @@ NO_NULL=$?
+ 
+ test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites"
+ 
++${SERV} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1
++NO_PRIME192v1=$?
++
++test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam"
+ 
+ if test "${NO_DH_PARAMS}" = 0;then
+ 	OPENSSL_DH_PARAMS_OPT=""
+@@ -218,7 +211,7 @@ run_client_suite() {
+ 
+ 	#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
++	launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+ 	PID=$!
+ 	wait_server ${PID}
+ 
+@@ -267,9 +260,9 @@ run_client_suite() {
+ 	kill ${PID}
+ 	wait
+ 
+-	if test "${FIPS_CURVES}" != 1; then
++	if test "${FIPS_CURVES}" != 1 && test "${NO_PRIME192v1}" != 1; then
+ 		eval "${GETPORT}"
+-		launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null
++		launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null
+ 		PID=$!
+ 		wait_server ${PID}
+ 
+@@ -283,7 +276,7 @@ run_client_suite() {
+ 
+ 		#-cipher ECDHE-ECDSA-AES128-SHA
+ 		eval "${GETPORT}"
+-		launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null
++		launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null
+ 		PID=$!
+ 		wait_server ${PID}
+ 
+@@ -298,7 +291,7 @@ run_client_suite() {
+ 
+ 	#-cipher ECDHE-ECDSA-AES128-SHA
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null
++	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null
+ 	PID=$!
+ 	wait_server ${PID}
+ 
+@@ -312,7 +305,7 @@ run_client_suite() {
+ 
+ 	#-cipher ECDHE-ECDSA-AES128-SHA
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null
++	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null
+ 	PID=$!
+ 	wait_server ${PID}
+ 
+@@ -326,7 +319,7 @@ run_client_suite() {
+ 
+ 	#-cipher PSK
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null
++	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher 'PSK:@SECLEVEL=1' -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null
+ 	PID=$!
+ 	wait_server ${PID}
+ 
+@@ -341,7 +334,7 @@ run_client_suite() {
+ 		# Tests requiring openssl 1.0.1 - TLS 1.2
+ 		#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA
+ 		eval "${GETPORT}"
+-		launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
++		launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+ 		PID=$!
+ 		wait_server ${PID}
+ 
+@@ -442,7 +435,7 @@ run_client_suite() {
+ 	wait
+ 
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
++	launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+ 	PID=$!
+ 	wait_udp_server ${PID}
+ 
+@@ -455,7 +448,7 @@ run_client_suite() {
+ 	wait
+ 
+ 	eval "${GETPORT}"
+-	launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
++	launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+ 	PID=$!
+ 	wait_udp_server ${PID}
+ 
+@@ -469,7 +462,7 @@ run_client_suite() {
+ 
+ 	if test "${NO_DSS}" = 0; then
+ 		eval "${GETPORT}"
+-		launch_bare_server $$ s_server -cipher "ALL" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
++		launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+ 		PID=$!
+ 		wait_udp_server ${PID}
+ 
+@@ -591,7 +584,7 @@ run_server_suite() {
+ 	PID=$!
+ 	wait_server ${PID}
+ 
+-	${OPENSSL_CLI} s_client -cipher DHE -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++	${OPENSSL_CLI} s_client -cipher DHE:@SECLEVEL=1 -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -604,7 +597,7 @@ run_server_suite() {
+ 		PID=$!
+ 		wait_server ${PID}
+ 
+-		${OPENSSL_CLI} s_client -host localhost -cipher ALL -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++		${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 			fail ${PID} "Failed"
+ 
+ 		kill ${PID}
+@@ -618,7 +611,7 @@ run_server_suite() {
+ 	wait_server ${PID}
+ 
+ 	#-cipher ECDHE-RSA-AES128-SHA
+-	${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++	${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -632,7 +625,7 @@ run_server_suite() {
+ 		wait_server ${PID}
+ 
+ 		#-cipher ECDHE-ECDSA-AES128-SHA
+-		${OPENSSL_CLI} s_client -host localhost -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++		${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 			fail ${PID} "Failed"
+ 
+ 		kill ${PID}
+@@ -646,7 +639,7 @@ run_server_suite() {
+ 	wait_server ${PID}
+ 
+ 	#-cipher ECDHE-ECDSA-AES128-SHA
+-	${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++	${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -659,7 +652,7 @@ run_server_suite() {
+ 	wait_server ${PID}
+ 
+ 	#-cipher ECDHE-ECDSA-AES128-SHA
+-	${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++	${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -673,7 +666,7 @@ run_server_suite() {
+ 		wait_server ${PID}
+ 
+ 		#-cipher ECDHE-ECDSA-AES128-SHA
+-		${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++		${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 			fail ${PID} "Failed"
+ 
+ 		kill ${PID}
+@@ -687,7 +680,7 @@ run_server_suite() {
+ 	wait_server ${PID}
+ 
+ 	#-cipher PSK-AES128-SHA
+-	${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \
++	${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -726,7 +719,7 @@ run_server_suite() {
+ 			PID=$!
+ 			wait_server ${PID}
+ 
+-			${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher ALL -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++			${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 				fail ${PID} "Failed"
+ 
+ 			kill ${PID}
+@@ -768,7 +761,7 @@ run_server_suite() {
+ 			wait_server ${PID}
+ 
+ 			#-cipher ECDHE-ECDSA-AES128-SHA
+-			${OPENSSL_CLI} s_client -host localhost -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++			${OPENSSL_CLI} s_client -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 				fail ${PID} "Failed"
+ 
+ 			kill ${PID}
+@@ -839,7 +832,7 @@ run_server_suite() {
+ 	wait_udp_server ${PID}
+ 
+ 
+-	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -853,7 +846,7 @@ run_server_suite() {
+ 	wait_udp_server ${PID}
+ 
+ 
+-	${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++	${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 		fail ${PID} "Failed"
+ 
+ 	kill ${PID}
+@@ -868,7 +861,7 @@ run_server_suite() {
+ 		wait_udp_server ${PID}
+ 
+ 
+-		${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher ALL -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
++		${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+ 			fail ${PID} "Failed"
+ 
+ 		kill ${PID}
+-- 
+2.35.1
+

Reply to:

Follow-Ups:
- Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
  - From: Andreas Metzler <ametzler@bebt.de>

References:
- Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
  - From: Paul Gevers <elbrus@debian.org>
- Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
  - From: Kurt Roeckx <kurt@roeckx.be>
- Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Prev by Date: Bug#1008045: bullseye-pu: package node-mermaid/8.7.0+ds+~cs27.17.17-3+deb11u1
Next by Date: Bug#994622: bullseye-pu: package network-manager/1.30.6-1~deb11u1
Previous by thread: Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
Next by thread: Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
Index(es):
- Date
- Thread