Package: curl Version: 7.64.0-4+deb10u1 Severity: important This is a buster-only (AFAICT) bug: stretch (7.52.1-5+deb9u13) doesn’t yet have the problem, and sid (7.74.0-1.1) works.
In a default buster installation /etc/ssl/openssl.cnf ends with these fateful lines: [system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2 Trying to retrieve a document from a TLSv1.0-only server with cURL’s designated option to choose TLSv1.0 fails: (buster-i386)tglase@tglase:~ $ curl -1 https://www.mirbsd.org/~tg/Debs/REPOKEY curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol Setting MinProtocol = TLSv1 instead allows it to work, which is precisely what passing the -1 option on the command line was supposed to do for this one invocation, as opposed to a global setting change. This is a pretty severe bug, impacting communication severely. I only didn’t notice it earlier because I almost only use sid. This really should be fixed in buster. -- System Information: Debian Release: 10.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 5.10.0-3-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages curl depends on: ii libc6 2.28-10 ii libcurl4 7.64.0-4+deb10u1 ii zlib1g 1:1.2.11.dfsg-1 curl recommends no packages. curl suggests no packages. -- no debconf information
