Another day, another Debian buster upgrade gremlin

Buster just made my life interesting again. My asterisk install lost TLS. The only message was tcptls.c failing to load the cert at line 441. No reason, nothing. Just no TLS.

Debian bug 941011: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941011

While I was originally tempted to swear at asterisk, the real culprit here is OpenSSL. The people who develop it have come up with a really "wonderful" error API. It can dump only to file or file like objects. No way of interfacing into application logging whatsoever. Just lovely.

As a result of sticking some inappropriate debug prints into the file I now know the reason for the silent tls drop. OpenSSL will now refuse to load any older certs whose digest it deems as too weak. In my case it was SHA1. Due to the way the OpenSSL API deals with error detail most apps will silently refuse to work without any addiitonal debug into.

The culprit is this concept:https://en.wikibooks.org/wiki/OpenSSL/Error_handling

Whoever implented without providing any output to a string or internal IPC stream needs to have their ear bent in public a few times.