Package: nim Version: 0.17.2-1 Severity: serious Tags: sid buster User: pkg-openssl-de...@lists.alioth.debian.org Usertags: openssl-1.1-trans Control: block 871056 by -1
Please migrate to libssl-dev in the Buster cycle. I am very sorry for this late report but this package was never on my list. It slipped because it never B-D on libssl1.0-dev. I looked at the package and the easy build fix is to add the 1.1 prefix to the libs it looks (in lib/wrappers/openssl.nim). The way it is now, the package (nimble binary) should not work if libssl-dev is installed because it parses the .so versions from left to right and first one is empty. So there is this which already should affect Stretch. There are a lot of defines and function names copied from the openssl's header files. Someone needs to double check those that there still the same. Function wise: SSL_library_init() and a few other macros towards "OPENSSL_init_ssl(0, NULL)" so "normal" C will work but if nim is accessing the functions directly then it will fail. SSLv23_client_method() and friends are also macros. If I read this right then if it is not available, then it will invoke TLSv1_method(). This will work in 1.1 but please don't do this. The problem with TLSv1_method() is that it will give you _only_ TLSv1 and _never_ TLSv1.1, and/or TLSv1.2 like SSLv23_client_method(). The "v23" functions should be around (for 1.0.2 and earlier) and for 1.1 you would to use TLS_client_method(). The v2 and v3 (and the TLSv1) could be disabled at build time. If you want to exclude a certain TLS version you should use something like SSL_OP_NO_TLSv1 to disable TLSv1 only (and keep other version like v1.1 and v1.2 around). Data strucures. All structures are opaque and you need to tell libssl to allocate it and free it. This means you can't have them on stack or dereference them. It seems that md5_* (md5_File) uses them on Stack. A larger collection of what changed in OpenSSL 1.0.2->1.1 is at https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes Sebastian
