FS#53026 - [openssl-1.0] Please ship openssl binary with package
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Sunday, 19 February 2017, 23:38 GMT
Last edited by Jan de Groot (JGC) - Saturday, 25 February 2017, 22:39 GMT
Opened by Pascal Ernster (hardfalcon) - Sunday, 19 February 2017, 23:38 GMT
Last edited by Jan de Groot (JGC) - Saturday, 25 February 2017, 22:39 GMT
|
Details
The current openssl-1.0 package in the staging repository
lacks the openssl binary. Please add this binary (with some
version suffix) because both versions support different sets
of cipher suites, and use cipher suites with different
ordering/priorities. For example, version 1.0 simply orders
them by the strength of the symmetric cipher used, whilst
version 1.1 also considers things like perfect forward
secrecy. Also, version 1.0 prioritizes RSA over ECDSA whilst
version 1.1 prioritizes ECDSA over RSA.
To enable users to properly evaluate the implications of a certain "ciphers" string when configuring software that uses OpenSSL 1.0, the corresponding "/usr/bin/openssl" binary is required. |
This task depends upon
Closed by Jan de Groot (JGC)
Saturday, 25 February 2017, 22:39 GMT
Reason for closing: Implemented
Additional comments about closing: implemented in -2.
Saturday, 25 February 2017, 22:39 GMT
Reason for closing: Implemented
Additional comments about closing: implemented in -2.
https://packages.debian.org/source/sid/openssl1.0
The openssl-1.0 package is only meant to provide compatibility for binary applications that haven't been recompiled against OpenSSL 1.1.x, so I see no reason to have the openssl tool for those.
The very same "ciphers" string will yield quite different results/behaviour for different versions of OpenSSL, which is why you can't use the OpenSSL 1.1 version of the binary if you want to configure software using OpenSSL 1.0. Just compare the output of "openssl ciphers AESGCM" for both OpenSSL versions - you'll note quite a bunch of differences.
To be honest, I don't see a reason why that executable should *not* be shipped. Not shipping it does not save anybody any work, it only creates more work for those who need the binary. The only thing it would cost is about 600KB disk space or 200KB in compressed package size.