[Privoxy-devel] Bug#1075870: privoxy: FTBFS with MbedTLS 3.6

[Roland Rosenfeld]

Hi Fabian!

On Sat, 12 Oct 2024, Fabian Keil wrote:

> > If privoxy is build against mbedtls 3.6.1, your patch seems to work as
> > expected, while it is broken with 3.6.0.
> > 
> > I'm not sure whether this is a bug in 3.6.0, which is fixed in 3.6.1
> > or some incompatibility between the new privoxy code and 3.6.0.
> 
> Great.
> 
> I only tested with 3.6.1 but will try testing 3.6.0 in the next
> couple of days once my laptop is done building other packages.
> 
> > I'll request the Debian maintainer packaging mbedtls 3.6.1...
> 
> Am I correct to assume that Debian 13 and earlier will keep
> using MbedTLS 2.x even after it's no longer supported upstream?

Currently Debian 12 (bookworm) is the stable release, it will stay
with MbedTLS 2.28.8 (maybe plus some security fixes from 2.28.9).

There is no release date nor freeze date for Debian 13 (trixi) defined
(I expect a release in mid 2025) and trixi currently still has 2.28.8.
But the maintainer intends to jump to 3.6.0 (maybe 3.6.1) as a
transition, which means that 3.6.x replaces 2.28.x.  It is not planned
to have them available in parallel and be able to toggle between them
by installing libmbedtls2-dev or libmbedtls3-dev.  See
https://bugs.debian.org/1074248 for more information about this
transition.  There seem to be 8 packages (including privoxy) that
currently do not build with mbedtls 3.6.
I can't tell you whether the transition is done before trixi release,
or delayed, because of the 8 packages currently failing with upgrade.

> I ask because my current patch removes the MbedTLS 2.x code
> and is not backwards compatible ...

I noticed this.  And I still consider your question from 2024-04-01:

| Why do you prefer mbedTLS over OpenSSL?

Back then I told you that testing against howsmyssl.com reports
mbedTLS equivalent to no-proxy while openssl allows more additional
ciphers.  I just retested this and it seems that my test was wrong or
something changed since that (maybe there was some caching issue when
testing).

This time mbedTLS 2.x only supports TLS1.2 while openSSL supports
TLS1.3.
In addition to this mbedTLS 2.x supports much more ciphers than
openSSL.
Since OpenSSL is used much more often than mbedTLS, I expect a better
review there and expect it to have a better default configuration and
faster security updates etc.

So the only advantage of mbedTLS is, that it was earlier supported in
privoxy, but in the meantime openssl seems to be the "standard".

I had a look at other distributions and found out that most of them
(alpine, homebrew, mandriva, fedora, arch) seem to have no SSL library
activated.  gentoo can be build with both mbedtls and openssl.
OpenSUSE and FreeBSD (okay, that's your baby) both use OpenSSL.

So for me this is an hint, that I should switch to OpenSSL, too.
This would solve the mbedtls transition issue for me and the mbedtls
maintainer, since it breaks the dependency between these to packages.

Greetings
Roland
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20241012/021919fa/attachment.bin>