[stunnel-users] OpenSSL 1.1.1 secure level and also an old problem rearing up

Michal Trojnara Michal.Trojnara at stunnel.org
Sun Aug 26 21:35:28 CEST 2018

On 8/24/18 6:15 PM, Peter Pentchev wrote:
> Sorry to be the bearer of a "those OS vendors did something again and
> now we have to catch up with them... again..." type of news, but, well,
> the maintainers of the Debian package of OpenSSL upgraded it to
> a prerelease 1.1.1 version and, in the process, changed the default
> cipher selection in the openssl.cnf file to 'SECLEVEL=2'.

Debian indeed has a history of making strange changes to OpenSSL and thus breaking compatibility with the upstream package.  I honestly don't think it is fair to call those modified packages "OpenSSL".

Regardless of Debian, we will update the test certificates to use sha256.

> if there is a "ciphers" option in the config file, stunnel eventually
> dies with an error that I seem to remember having seen before; take
> a look at this gdb backtrace from stunnel 5.48:

This is a separate issue.  I believe I manged to fix it.  Please try:

> So, yeah, what would be the best way forward here?

I think the best way is wait a few days for the updated upstream stunnel package, and then proceed with packaging it.  Would it be okay with you?

Best regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180826/c5fe6a62/attachment.sig>

More information about the stunnel-users mailing list