[stunnel-users] OpenSSL 1.1.1 secure level and also an old problem rearing up

Peter Pentchev roam at ringlet.net
Sun Aug 26 22:27:23 CEST 2018

On Sun, Aug 26, 2018 at 09:35:28PM +0200, Michal Trojnara wrote:
> On 8/24/18 6:15 PM, Peter Pentchev wrote:
> > Sorry to be the bearer of a "those OS vendors did something again and
> > now we have to catch up with them... again..." type of news, but, well,
> > the maintainers of the Debian package of OpenSSL upgraded it to
> > a prerelease 1.1.1 version and, in the process, changed the default
> > cipher selection in the openssl.cnf file to 'SECLEVEL=2'.
> Debian indeed has a history of making strange changes to OpenSSL and
> thus breaking compatibility with the upstream package.  I honestly don't
> think it is fair to call those modified packages "OpenSSL".

I cannot say I disagree completely...

> Regardless of Debian, we will update the test certificates to use sha256.


> > if there is a "ciphers" option in the config file, stunnel eventually
> > dies with an error that I seem to remember having seen before; take
> > a look at this gdb backtrace from stunnel 5.48:
> This is a separate issue.  I believe I manged to fix it.  Please try:
> https://www.stunnel.org/downloads/beta/stunnel-5.49b4.tar.gz

Yes, the changes between b3 and b4 do indeed fix this problem; many
thanks for the quick reaction!

> > So, yeah, what would be the best way forward here?
> I think the best way is wait a few days for the updated upstream stunnel
> package, and then proceed with packaging it.  Would it be okay with you?

Of course, there is no hurry; apologies if my previous message somehow
made it sound like there was any urgency.  Thank you once again for all
your work and for your understanding!


Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180826/4a4392ff/attachment.sig>

More information about the stunnel-users mailing list