[arch-general] [arch-dev-public] openssl 1.0 rebuild

Jim Pryor lists+arch-general at jimpryor.net
Wed Apr 7 07:05:45 EDT 2010

On Wed, Apr 07, 2010 at 11:49:10AM +0200, Thomas Bächler wrote:
> Am 30.03.2010 03:36, schrieb Pierre Schmitz:
> > I created a rebuld list for the just released openssl 1.0.0 (Thanks Dan
> > for fixing the todo list that fast!). These are 236 packages for each
> > architecture; so this will need some kind of planning and a bunch of people
> > to help. But for now I'll at least wait for the Gnome and KDE release and
> > also Allan's heimdal rebuilds.
> > 
> > Fedora uses openssl 1 since Fedora 12 which means if there are any issues
> > we'll probably find a solution there. Till then I just need to port the man
> > page patch (easy) and see why it compiles with -DOPENSSL_IA32_SSE2 on
> > x86_64 and if that is an issue at all.
> The new openssl breaks RADIUS authentication with wpa_supplicant for me.
> It fails to verify the CA certificate and aborts authentication. It
> works if I disable verification of the certificates in the configuration
> (which is bad, but still helps).

I noticed something which sounds similar. After I synched, I rebuilt elinks-git against
all the new libs I had installed. Then I noticed I was getting ssl
errors whenever I went to an https: site. Turns out I needed to turn off
the option connection.ssl.cert_verify:

## connection.ssl.cert_verify [0|1]
#  Verify the peer's SSL certificate. Note that this needs extensive
#  configuration of OpenSSL by the user.
set connection.ssl.cert_verify = 0

Despite the "extensive configuration" warning, this was working
before, but after rebuilding against openssl 1.0.0, it's not.

The openssl upgrade brought some changes to /etc/ssl/openssl.cnf. I
haven't tracked down yet whether any of those may be responsible for

Jim Pryor
profjim at jimpryor.net

More information about the arch-general mailing list