Package: openssl Version: 1.1.1a-1 Severity: important Control: found -1 1.1.1~~pre3-1 Control: affects -1 steam
The openssl.cnf in the openssl package since 1.1.1~~pre3-1 is incompatible with libssl < 1.1.0 (I think that's the right cutoff point), either from a partial upgrade or bundled with third-party software. It should probably at least have a Breaks on libssl1.0.2, to protect partial upgrades from stretch. Some release notes for users of third-party software might also be useful. I realise it probably isn't feasible to keep openssl.cnf compatible with all past and future versions. It would perhaps be a good idea for future OpenSSL branches to use a configuration file that's tied to the major version in their SONAME, or otherwise parallel-installable? (openssl1.1.0.cnf, etc.) Minimal reproducer: * start from Debian testing (buster) * unpack libssl1.0.2 1.0.2q-2, from unstable, and openssl 1.0.2j-1 from snapshots.debian.org (the newest openssl.deb that still depended on libssl1.0.2) into ~/102 * then run: LD_LIBRARY_PATH=$HOME/102/usr/lib/x86_64-linux-gnu $HOME/102/usr/bin/openssl s_client example.com:443 Expected result: successful connection Actual result: Error configuring OpenSSL 140099788864256:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory 140099788864256:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233: 140099788864256:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:271:module=ssl_conf, path=ssl_conf 140099788864256:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:212:module=ssl_conf The same thing can be reproduced with libssl1.0.0 and openssl from jessie. Workaround: use OPENSSL_CONF=/dev/null when running software that depends on an older libssl. For context, libssl_conf.so never actually existed on disk, and isn't really meant to. In OpenSSL's approach to configuration, /etc/ssl/openssl.cnf configuration parameters cause loading of native-code modules, which can either be built-in to libcrypto or libssl, or real files on disk to be dlopen()ed (like the way Python's sys module is built-in to the interpreter, but its readline module is external). libssl_conf.so in the default library search path (!) is one of several names OpenSSL would try for the ssl_conf module - I think the reason it appears in the error message is that it's the last one to be tried. Since 1.1.0 (commit 59b1696c), there is a ssl_conf module built-in to libssl. It moved into libcrypto in 1.1.1 (commit d8f031e8). In Debian, since 1.1.1 (August 2018, if we don't count experimental), /etc/ssl/openssl.cnf has made use of the ssl_conf mechanism to enforce TLS1.2 as the minimum protocol, and 112-bit security (level 2) as the minimum security level. This file is only installed if the openssl package (containing the openssl command-line tool) is installed. However, ca-certificates depends on openssl, so in practice basically all users will have it. This affects libssl1.0.0 in the Steam Runtime installed by the non-free steam package, and possibly other third-party software bundles. (<https://github.com/ValveSoftware/steam-for-linux/issues/6014>) smcv