On Sun, Aug 26, 2018 at 09:35:28PM +0200, Michal Trojnara wrote:
On 8/24/18 6:15 PM, Peter Pentchev wrote:
Sorry to be the bearer of a "those OS vendors did something again and now we have to catch up with them... again..." type of news, but, well, the maintainers of the Debian package of OpenSSL upgraded it to a prerelease 1.1.1 version and, in the process, changed the default cipher selection in the openssl.cnf file to 'SECLEVEL=2'.
Debian indeed has a history of making strange changes to OpenSSL and thus breaking compatibility with the upstream package. I honestly don't think it is fair to call those modified packages "OpenSSL".
I cannot say I disagree completely...
Regardless of Debian, we will update the test certificates to use sha256.
Thanks!
if there is a "ciphers" option in the config file, stunnel eventually dies with an error that I seem to remember having seen before; take a look at this gdb backtrace from stunnel 5.48:
This is a separate issue. I believe I manged to fix it. Please try: https://www.stunnel.org/downloads/beta/stunnel-5.49b4.tar.gz
Yes, the changes between b3 and b4 do indeed fix this problem; many thanks for the quick reaction!
So, yeah, what would be the best way forward here?
I think the best way is wait a few days for the updated upstream stunnel package, and then proceed with packaging it. Would it be okay with you?
Of course, there is no hurry; apologies if my previous message somehow made it sound like there was any urgency. Thank you once again for all your work and for your understanding!
G'luck, Peter