Hi, the openssl package provides the c_rehash script which creates the links from XXXXXXXX.Y to the actual certificate in /etc/ssl/certs/. During the transition from 0.9.8 to 1.0.0 the hash (for the X part) changed from md5 to sha1. Since that transition in Debian the c_rehash script provides both symlinks: the old hash (md5) and the new (sha1) one.
The c_rehash script is considered by upstream as a fallback script and will disappear at some point. The recommended way is to use the "openssl rehash" command instead which appeared in 1.1.0. This command creates half that many symlinks (one per certificate instead of two) because it uses only the sha1 hash. There is also the -compat option which creates both symlinks (and behaves like c_rehash currently does) but as explained above it should not be required to use it. I am planning to fill bugs against 23 packages which use "c_rehash" to use "openssl rehash" instead. Here is the dd-list of packages I identified: Alessio Di Mauro <[email protected]> yubico-piv-tool (U) Antonio Terceiro <[email protected]> ruby-openssl (U) Christian Perrier <[email protected]> ca-certificates (U) Cyril Brulebois <[email protected]> debian-installer (U) Cédric Boutillier <[email protected]> ruby-httparty (U) Dain Nilsson <[email protected]> yubico-piv-tool (U) David Bremner <[email protected]> racket Debian AppArmor Team <[email protected]> apparmor Debian Authentication Maintainers <[email protected]> yubico-piv-tool Debian Chromium Maintainers <[email protected]> chromium-browser Debian FreeRADIUS Packaging Team <[email protected]> freeradius Debian Install System Team <[email protected]> debian-installer Debian OpenLDAP Maintainers <[email protected]> openldap Debian QA Group <[email protected]> sendmail Debian Ruby Extras Maintainers <[email protected]> ruby-httparty ruby-openssl Felix Lechner <[email protected]> wolfssl Iain R. Learmonth <[email protected]> scapy (U) scapy3k (U) Internet Measurement Packaging Team <[email protected]> scapy scapy3k intrigeri <[email protected]> apparmor (U) Josip Rodin <[email protected]> freeradius (U) Klas Lindfors <[email protected]> yubico-piv-tool (U) LaMont Jones <[email protected]> postfix Laszlo Boszormenyi (GCS) <[email protected]> sx Mark Brown <[email protected]> xemacs21-packages Mark Hymers <[email protected]> freeradius (U) Markus Wanner <[email protected]> courier Matthijs Möhlmann <[email protected]> openldap (U) Michael Gilbert <[email protected]> chromium-browser (U) Michael Shuler <[email protected]> ca-certificates Michael Stapelberg <[email protected]> freeradius (U) Raphael Geissert <[email protected]> ca-certificates (U) Riku Voipio <[email protected]> chromium-browser (U) Roger A. Light <[email protected]> mosquitto Ryan Tandy <[email protected]> openldap (U) Sam Hartman <[email protected]> freeradius (U) Scott Kitterman <[email protected]> postfix (U) Sebastian Reichel <[email protected]> python-paho-mqtt Sebastien Delafond <[email protected]> mitmproxy Simon Josefsson <[email protected]> yubico-piv-tool (U) Stephen Gran <[email protected]> freeradius (U) Steve Langasek <[email protected]> openldap (U) Tatsuya Kinoshita <[email protected]> wl wl-beta Thijs Kinkhorst <[email protected]> ca-certificates (U) Torsten Landschoff <[email protected]> openldap (U) Sebastian
