Package: openssl Version: 1.0.0h-1 Severity: important --- Please enter the report below this line. ---
The debian distributed openssl negotiated SSL 3.0 if TLS 1.2 is offered while the original openssl 1.0.0h negotiates TLS 1.0 if offered the same client hello. This is a really weird difference. To reproduce: /usr/bin/openssl s_server -cert x509/cert-rsa.pem -key x509/key-rsa.pem -port 5556 Using default temp DH parameters Using default temp ECDH parameters ACCEPT $ ./gnutls-cli localhost -p 5556 --insecure --priority PERFORMANCE ... - Version: SSL3.0 ... and the original behavior: $ /home/nmav/cvs/openssl-1.0.0h/apps/openssl s_server -cert x509/cert-rsa.pem -key x509/key-rsa.pem -port 5556 Using default temp DH parameters Using default temp ECDH parameters ACCEPT $ ./gnutls-cli localhost -p 5556 --insecure --priority PERFORMANCE ... - Version: TLS1.0 ... --- System information. --- Architecture: amd64 Kernel: Linux 3.0.0-1-amd64 Debian Release: wheezy/sid 500 testing ftp.be.debian.org 500 stable ftp.be.debian.org --- Package information. --- Depends (Version) | Installed ============================-+-============= libc6 (>= 2.7) | 2.13-27 libssl1.0.0 (>= 1.0.0) | 1.0.0h-1 zlib1g (>= 1:1.1.4) | 1:1.2.6.dfsg-2 Package's Recommends field is empty. Suggests (Version) | Installed ==============================-+-=========== ca-certificates | 20120212 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org