Your message dated Fri, 20 Mar 2015 18:03:55 +0000
with message-id <[email protected]>
and subject line Bug#775502: fixed in openssl 1.0.1k-2
has caused the Debian Bug report #775502,
regarding openssl: 1.0.1e-2+deb7u14 broke DTLS handshake with Chrome/Firefox
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
775502: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775502
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 1.0.1e-2+deb7u14
Severity: important
Dear Maintainer,
I have an application which uses libwebrtc to communicate with third party
WebRTC clients, which are mostly Chrome and Firefox browsers.
libwebrtc used in my application is compiled with openssl support to implement
DTLS encryption while Chrome and Firefox, I believe, use libnss.
After the 1.0.1e-2+deb7u14 update my application fails to connect to the
browsers. According to logs, DTLS handshake never completes and times out.
Through experimenting I found out that the problem is with the patch for
CVE-2014-3571 (0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch).
If I rebuild the package without that patch the application starts connecting
again. It also works with 1.0.1e-2+deb7u13.
The libwebrtc code is quite massive, so it's difficult to make a reproducing
code example. But the relevant bits are here, if you're interested:
Certificate and identity creation:
http://webrtc.googlecode.com/svn/branches/3.52/talk/base/opensslidentity.cc
DTLS connection setup:
http://webrtc.googlecode.com/svn/branches/3.52/talk/base/opensslstreamadapter.cc
With the problematic openssl package the
OpenSSLStreamAdapter::SSLVerifyCallback() function is never called (there is no
"Accepted peer certificate."
message in the log), and the stream adapter keeps printing " -- error want
read" until timeout.
-- System Information:
Debian Release: 7.8
APT prefers stable
APT policy: (400, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssl depends on:
ii libc6 2.13-38+deb7u6
ii libssl1.0.0 1.0.1e-2+deb7u14
ii zlib1g 1:1.2.7.dfsg-13
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20130119+deb7u1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 1.0.1k-2
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <[email protected]> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 20 Mar 2015 18:24:15 +0100
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc
libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1k-2
Distribution: unstable
Urgency: high
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Kurt Roeckx <[email protected]>
Description:
libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
libssl-dev - Secure Sockets Layer toolkit - development files
libssl-doc - Secure Sockets Layer toolkit - development documentation
libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
openssl - Secure Sockets Layer toolkit - cryptographic utility
Closes: 775502
Changes:
openssl (1.0.1k-2) unstable; urgency=high
.
* Fix CVE-2015-0286
* Fix CVE-2015-0287
* Fix CVE-2015-0289
* Fix CVE-2015-0293 (not affected, SSLv2 disabled)
* Fix CVE-2015-0209
* Fix CVE-2015-0288
* Remove export ciphers from DEFAULT.
* Make DTLS always act as if read_ahead is set. This fixes a regression
introduce by the fix for CVE-2014-3571. (Closes: #775502)
Checksums-Sha1:
51a6908cacbdd2c344a98f9ea3319f599fe8a2e3 2227 openssl_1.0.1k-2.dsc
53d3a8874bce8bc7687aa548bbd5a69724c8995d 94292 openssl_1.0.1k-2.debian.tar.xz
d5ab281be21e3420b3a4bcc611d2a71f2a718ff8 1137998 libssl-doc_1.0.1k-2_all.deb
5a3bd8ac7b914c441baa1dfa09ec1a1fc3983b96 677104 openssl_1.0.1k-2_amd64.deb
479927fa79f999f14cab32d18374d52283e188c9 1036108 libssl1.0.0_1.0.1k-2_amd64.deb
4610e8edb5e26279ccb4b0a91de2e5e486af7701 639734
libcrypto1.0.0-udeb_1.0.1k-2_amd64.udeb
5e06b71cfdd03aeb5829f2a7fe05d4274cb529a5 1271094 libssl-dev_1.0.1k-2_amd64.deb
34ed7f8003389a4fc738115e8c597504dc46e041 2797310
libssl1.0.0-dbg_1.0.1k-2_amd64.deb
Checksums-Sha256:
0687d16c10b09a57372bcd4b45b1a8b07c6895d3e8aee6204164149eaf26b80c 2227
openssl_1.0.1k-2.dsc
68e5d0e297bac72bf908f5feb17b29c134949ffaefb04fd0ed5aeb847a132558 94292
openssl_1.0.1k-2.debian.tar.xz
93836c61052e07e76ef6f5e28879c021106683fdda2f2aea1db8a9e5c1564565 1137998
libssl-doc_1.0.1k-2_all.deb
fb3d3ad2a48f5c8977885d07db1968cf1a5f1408bb7655df82930f67c38d202c 677104
openssl_1.0.1k-2_amd64.deb
90a2303738e3ae78800fb90f934fb1775be7decd68963dad625a7c75d7a14576 1036108
libssl1.0.0_1.0.1k-2_amd64.deb
7a85657ba7a41ea9c0cf3426cf1452c24b00f2cbe8aeadbd312772d96fed7a0d 639734
libcrypto1.0.0-udeb_1.0.1k-2_amd64.udeb
e3330b4643b7d2d1668e6889ecd0c3b0724c855e74f92440fca04f946f8d8f21 1271094
libssl-dev_1.0.1k-2_amd64.deb
1d08892f7db7466ef306511b6adc7075da73c95cec7bcb56d675eaf34e9b15e7 2797310
libssl1.0.0-dbg_1.0.1k-2_amd64.deb
Files:
c2ccfc2ed891b3743fc6f484bb43b3b5 2227 utils optional openssl_1.0.1k-2.dsc
dda5007d58d780d708dd32c9b769ab9e 94292 utils optional
openssl_1.0.1k-2.debian.tar.xz
799514a61db739e1cde8320e2a11d423 1137998 doc optional
libssl-doc_1.0.1k-2_all.deb
a0f13e2f9ba3baa601c1b976bbd4908c 677104 utils optional
openssl_1.0.1k-2_amd64.deb
78a03d1fbdbc67ff828393132fb5f5e0 1036108 libs important
libssl1.0.0_1.0.1k-2_amd64.deb
bf4f0a19e90822a68541adc2b2240043 639734 debian-installer optional
libcrypto1.0.0-udeb_1.0.1k-2_amd64.udeb
98cbef519031a57f0b7d0e70b3ae0d17 1271094 libdevel optional
libssl-dev_1.0.1k-2_amd64.deb
dc5569b53125e9850300bcfb7edbf5d3 2797310 debug extra
libssl1.0.0-dbg_1.0.1k-2_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVDF7nAAoJEOPE3c0eTBJEFNYP/RgLTE1Dhy5Gt58nt9C/A+ac
hnU8pVMDNgdfkyv6iUM1Q41dtGiRLvMwHU5Go6nwmhIbzBATnjvtTellXJq+8fIo
8BPfeiaD2sUM0BO3+Ipmm0Bmy7w1IOWU66M3yW4KlZFpa9w5x2Z2hFjOeLbXkp+v
/l6QVXoqnDfK18qXFmQp53+DX04tn2kYsV0WzvOl80R3eA5wQ2OdX93CF8UKA617
1jGptXW9y1yWEnsauzkvp6FF0MQDgO/hZlboxrveSOFEC2TwD0DIJA7zYP8zIHlH
ckyjAviK7EVjIqhgHzyUJnX7vfh/t9ZLqmGieavsiEuMH/vUXgsQdIztMfTH03zs
VNqLjp6lOP37c8hc4TU13AUzS4Y2T3CydL0kgqyacZrxBe5pt762G3q37MixXKEH
rwYGNZghMTx7ZwNnqRM5XX4JtCna0ToY1mA5Ga6k45QUGvHahuzb3Pi6ldm0lLrx
YWpieH6DiIEVVWL2MP19JINJXh/UZgN4KySiJ5spwzxe+sLYA+eDU0czXo8ee6tt
kUkyHw1q2WiEgBFMpSC/DkJ7u/67rMl8knV0ne9GYmKlUbvzhJ5xfTb15hkVp47D
8yKyTf6WwAuChyAmIUtYZ9EySgRYofQpj+8cjyzNAZcARy3SXgN1L2KuGIHRUBiK
GF9zd179n0N+QFIN6NRI
=xVOR
-----END PGP SIGNATURE-----
--- End Message ---
