On Wed, 3 Apr 2019 at 22:57, Kurt Roeckx <k...@roeckx.be> wrote: > > On Wed, Apr 03, 2019 at 11:23:19PM +0200, Cyril Brulebois wrote: > > 1726 write(2, "Disabling SSL due to encountered errors.\n", 41) = 41 > > Looking at the source, about the only reason I can see to get that > is that SSL_CTX_new() failed. > > But the commit message at least indicates that it should just continue. > > wget in buster actually seems to be linked to gnutls, and trying > other applications just seem to work without config file. >
Using the CTX api is optional, so i expect other apps would fail too if one forces them to use CTX apis (e.g. like client cert auth) but it's unlikely to be done in d-i / udeb. I do think cherrypicking the patch kurt identified should be done. But I also think that openssl.cnf should be shipped in libssl1.1-udeb (either in /usr directly - see my patch, or symlink in /usr and a real file in /etc like in openssl.deb) because Debian's default openssl.cnf raises the minimum required protocol / tls security level higher than what are compiled into libssl1.1-udeb without a config file. As otherwise the person who discovers that d-i can talk to an https server, but in-target debian cannot will be rightfully confused. Unless we decide that we don't care, as this is quite a niche corner case. -- Regards, Dimitri.
