openssl broke with 1.1.1d-0+deb10u1

Discussion in 'Installation/Configuration' started by elmacus, Oct 2, 2019.

  1. elmacus

    elmacus Member HowtoForge Supporter

    Hi.
    Just to warn, the security update to 1.1.1d-0+deb10u1 broke our openssl to a bank.
    We use sury.org for PHP versions in ISPconfig.
    Error like: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
    Pinning to 1.1.1c-1+0~20190710.13+debian10~1.gbp359e02 fixed the bank problem.
    apt install openssl=1.1.1c-1+0~20190710.13+debian10~1.gbp359e02
    nano /etc/apt/preferences.d/openssl
    #add
    Package: openssl
    Pin: version 1.1.1c-1+0~20190710.13+debian10~1.gbp359e02
    Pin-Priority: 999

    So now wait for sury.org updates openssl to 1.1.1d. I did email Ondrej Sury.
     
    Last edited: Oct 2, 2019
    ahrasis and till like this.
  2. ahrasis

    ahrasis Well-Known Member

    Thank you. I will hold my update until that is fixed.
     
  3. elmacus

    elmacus Member HowtoForge Supporter

    Fixed by sury.org new openssl:
    1.1.1d-1+0~20191009.15+debian10~1.gbpd6badf
    So pin this new file so Debian do not overwrite by mistake.
    Was for Swish bankservice: https://www.getswish.se/
     
  4. elmacus

    elmacus Member HowtoForge Supporter

    Better to pin to this:
    Pin: release o=deb.sury.org
    Then check 2 last lines when running
    apt policy
    Should show:
    Pinned package:
    openssl -> 1.1.1d-1+0~20191009.15+debian10~1.gbpd6badf with priority 999
     

Share This Page