On 8/24/18 6:15 PM, Peter Pentchev wrote:
Sorry to be the bearer of a "those OS vendors did something again and now we have to catch up with them... again..." type of news, but, well, the maintainers of the Debian package of OpenSSL upgraded it to a prerelease 1.1.1 version and, in the process, changed the default cipher selection in the openssl.cnf file to 'SECLEVEL=2'.
Debian indeed has a history of making strange changes to OpenSSL and thus breaking compatibility with the upstream package. I honestly don't think it is fair to call those modified packages "OpenSSL".
Regardless of Debian, we will update the test certificates to use sha256.
if there is a "ciphers" option in the config file, stunnel eventually dies with an error that I seem to remember having seen before; take a look at this gdb backtrace from stunnel 5.48:
This is a separate issue. I believe I manged to fix it. Please try: https://www.stunnel.org/downloads/beta/stunnel-5.49b4.tar.gz
So, yeah, what would be the best way forward here?
I think the best way is wait a few days for the updated upstream stunnel package, and then proceed with packaging it. Would it be okay with you?
Best regards, Mike