[QGIS-Developer] Debian testing - buster bug

Sebastiaan Couwenberg sebastic at xs4all.nl
Tue Sep 11 12:20:03 PDT 2018


On 9/11/18 8:06 PM, Richard Duivenvoorde wrote:
> On 09/11/2018 03:59 PM, Sebastiaan Couwenberg wrote:
>> The underlaying issue is the removal of TLS < 1.2 support by default in
>> openssl 1.1.1, see: Debian Bug #875423 [0].
>>
>> TLS 1.0 and/or 1.1 support needs to be enabled explicitly using
>> SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version() as
>> mentioned in Message #70 [1].
>>
>> There is a separate issue for Qt5 which has a workaround in the mean
>> time. [2]
>>
>> [0] https://bugs.debian.org/875423
>> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875423#70
>> [2] https://bugs.debian.org/908567
> 
> Mmm, Debian testing user here... :-)
> 
> Anything I can do to make (self compiled) QGIS work again? It is now
> more or less unusable to me as webservices and plugins are unavailable :(
> Can I do anything to fix it in my local version? Do I need to enable
> SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version() somewhere?

AFAIK this is in done in libqt5network5 and the OpenSSL API is not
exposed through Qt to allow users to select the protocol version.

> We do not have power to fix apache on public services, but can I enable
> ssl protocol versions on plugins.qgis.org to make that work again?

It's a client side issue, all code that uses the OpenSSL API needs to
account for the TLS 1.3 changes in OpenSSL 1.1.1, which is unlikely to
migrate to testing any time soon due to the massive breakage it cause in
unstable.

If I understand the issue correctly, TLS_MAX_VERSION was changed to TLS
1.3 in OpenSSL 1.1.1, but TLS 1.3 is not available in OpenSSL 1.1.0
which is still in testing.

Applications using the OpenSSL API also need to enable the older TLS
versions (< 1.3) explicitly using the *_set_min_proto_version()
functions or they will use TLS 1.3 by default when built with OpenSSL 1.1.1.

> Any other option?

Wait for libqt5network5 (5.11.1+dfsg-8) to migrate to testing [0]. It
contains a change to not require openssl 1.1.1 in testing to fix #907774
[1].

[0] https://qa.debian.org/excuses.php?package=qtbase-opensource-src
[1] https://bugs.debian.org/907774

Kind Regards,

Bas



More information about the QGIS-Developer mailing list