Version in base suite: 1.1.22-1 Base version: erlang-p1-tls_1.1.22-1 Target version: erlang-p1-tls_1.1.22-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/erlang-p1-tls/erlang-p1-tls_1.1.22-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/e/erlang-p1-tls/erlang-p1-tls_1.1.22-1+deb13u1.dsc changelog | 7 + patches/f1e55d6d6bdf109ebc48dda880d028c95f349c3b.patch | 111 +++++++++++++++++ patches/series | 1 3 files changed, 119 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpq1flsp6j/erlang-p1-tls_1.1.22-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpq1flsp6j/erlang-p1-tls_1.1.22-1+deb13u1.dsc: no acceptable signature found diff -Nru erlang-p1-tls-1.1.22/debian/changelog erlang-p1-tls-1.1.22/debian/changelog --- erlang-p1-tls-1.1.22/debian/changelog 2025-02-09 10:09:55.000000000 +0000 +++ erlang-p1-tls-1.1.22/debian/changelog 2026-02-10 18:41:06.000000000 +0000 @@ -1,3 +1,10 @@ +erlang-p1-tls (1.1.22-1+deb13u1) trixie; urgency=medium + + * Add upstream commit which allows accepting client certificates without + the sslclient purpose flag (Closes: #1127369) + + -- Philipp Huebner Tue, 10 Feb 2026 19:41:06 +0100 + erlang-p1-tls (1.1.22-1) unstable; urgency=medium * New upstream version 1.1.22 diff -Nru erlang-p1-tls-1.1.22/debian/patches/f1e55d6d6bdf109ebc48dda880d028c95f349c3b.patch erlang-p1-tls-1.1.22/debian/patches/f1e55d6d6bdf109ebc48dda880d028c95f349c3b.patch --- erlang-p1-tls-1.1.22/debian/patches/f1e55d6d6bdf109ebc48dda880d028c95f349c3b.patch 1970-01-01 00:00:00.000000000 +0000 +++ erlang-p1-tls-1.1.22/debian/patches/f1e55d6d6bdf109ebc48dda880d028c95f349c3b.patch 2026-02-10 18:41:06.000000000 +0000 @@ -0,0 +1,111 @@ +From f1e55d6d6bdf109ebc48dda880d028c95f349c3b Mon Sep 17 00:00:00 2001 +From: Pawel Chmielowski +Date: Mon, 7 Jul 2025 10:13:50 +0200 +Subject: [PATCH] Add flag to allow accepting client cert without sslclient + purpose flag + +--- + c_src/fast_tls.c | 22 ++++++++++++++++++++-- + src/fast_tls.erl | 7 ++++++- + 2 files changed, 26 insertions(+), 3 deletions(-) + +Index: erlang-p1-tls/c_src/fast_tls.c +=================================================================== +--- erlang-p1-tls.orig/c_src/fast_tls.c ++++ erlang-p1-tls/c_src/fast_tls.c +@@ -26,6 +26,7 @@ + #include + #include + #endif ++#include + #include + #include + #include +@@ -263,6 +264,19 @@ static int verify_callback(int preverify + } + + /* ++ * Override cert purpose, to accept certificates that have only ++ * server purpose flag as client certificate (needed for s2s authentication). ++ */ ++static int cert_verify_callback(X509_STORE_CTX *x509, void *ptr) { ++ X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(x509); ++ if (param) { ++ X509_VERIFY_PARAM_set_purpose(param, X509_PURPOSE_SSL_SERVER); ++ X509_VERIFY_PARAM_set_trust(param, X509_TRUST_SSL_SERVER); ++ } ++ return X509_verify_cert(x509); ++} ++ ++/* + * ECDHE is enabled only on OpenSSL 1.0.0e and later. + * See http://www.openssl.org/news/secadv_20110906.txt + * for details. +@@ -549,6 +563,7 @@ static int ssl_sni_callback(const SSL *s + #define SET_CERTIFICATE_FILE_CONNECT 2 + #define VERIFY_NONE 0x10000 + #define COMPRESSION_NONE 0x100000 ++#define OVERRIDE_CERT_PURPOSE 0x200000 + + static ERL_NIF_TERM ssl_error(ErlNifEnv *env, const char *errstr) { + size_t rlen; +@@ -579,6 +594,7 @@ static SSL_CTX *create_new_ctx(char *cer + char *ciphers, unsigned char *dh, size_t dh_size, + char *dh_file, char *ca_file, + unsigned int command, ++ unsigned long flags, + char **err_str) { + long verifyopts; + int res = 0; +@@ -650,6 +666,8 @@ static SSL_CTX *create_new_ctx(char *cer + SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); + #endif + SSL_CTX_set_verify(ctx, verifyopts, verify_callback); ++ if (flags & OVERRIDE_CERT_PURPOSE) ++ SSL_CTX_set_cert_verify_callback(ctx, cert_verify_callback, NULL); + + #ifndef SSL_OP_NO_RENEGOTIATION + SSL_CTX_set_info_callback(ctx, &ssl_info_callback); +@@ -721,7 +739,7 @@ static char *create_ssl_for_cert(char *c + + enif_rwlock_rwlock(certs_map_lock); + SSL_CTX *ctx = create_new_ctx(cert_file, key_file, ciphers, dh, dh_size, +- dh_file, ca_file, command, &ret); ++ dh_file, ca_file, command,options & OVERRIDE_CERT_PURPOSE, &ret); + if (ret == NULL) { + new_info = enif_alloc(sizeof(cert_info_t)); + if (new_info) { +@@ -839,7 +857,7 @@ static ERL_NIF_TERM open_nif(ErlNifEnv * + state->dh_file = (char*)(state->dh + dh_bin.size + 1); + state->ca_file = state->dh_file + dhfile_bin.size + 1; + sni = state->ca_file + cafile_bin.size + 1; +- state->options = options; ++ state->options = options | (flags & OVERRIDE_CERT_PURPOSE); + state->command = command; + + memcpy(state->cert_file, certfile_bin.data, certfile_bin.size); +Index: erlang-p1-tls/src/fast_tls.erl +=================================================================== +--- erlang-p1-tls.orig/src/fast_tls.erl ++++ erlang-p1-tls/src/fast_tls.erl +@@ -67,6 +67,7 @@ + -define(VERIFY_NONE, 16#10000). + + -define(COMPRESSION_NONE, 16#100000). ++-define(OVERRIDE_CERT_PURPOSE, 16#200000). + + -define(PRINT(Format, Args), io:format(Format, Args)). + +@@ -148,7 +149,11 @@ tcp_to_tls(TCPSocket, Options) -> + true -> ?COMPRESSION_NONE; + false -> 0 + end, +- Flags = Flags1 bor Flags2, ++ Flags3 = case lists:member(override_cert_purpose, Options) of ++ true -> ?OVERRIDE_CERT_PURPOSE; ++ false -> 0 ++ end, ++ Flags = Flags1 bor Flags2 bor Flags3, + Ciphers = + case lists:keysearch(ciphers, 1, Options) of + {value, {ciphers, C}} -> diff -Nru erlang-p1-tls-1.1.22/debian/patches/series erlang-p1-tls-1.1.22/debian/patches/series --- erlang-p1-tls-1.1.22/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ erlang-p1-tls-1.1.22/debian/patches/series 2026-02-10 18:41:06.000000000 +0000 @@ -0,0 +1 @@ +f1e55d6d6bdf109ebc48dda880d028c95f349c3b.patch