Package: openssl
Version: 1.0.0c-2
Severity: important
From x509(1ssl) manpage:
| The hash algorithm used in the -subject_hash and -issuer_hash options before
| OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding of
the
| distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical
| version of the DN using SHA1. This means that any directories using the old
| form must have their links rebuilt using c_rehash or similar.
Unfortunately that also means that if c_rehash is run on /etc/ssl/certs/
(e.g. by ca-certificates postinst), packages using GnuTLS or older
OpenSSL won't be able to find certificates anymore.
Here's a proposed patch:
http://rt.openssl.org/Ticket/Display.html?id=2272&user=guest&pass=guest
(Though IMO compatibility symlinks should be created unconditionally.)
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
