Package: openssl Version: 1.0.1e-2+deb7u14 Severity: important Dear Maintainer,
I have an application which uses libwebrtc to communicate with third party WebRTC clients, which are mostly Chrome and Firefox browsers. libwebrtc used in my application is compiled with openssl support to implement DTLS encryption while Chrome and Firefox, I believe, use libnss. After the 1.0.1e-2+deb7u14 update my application fails to connect to the browsers. According to logs, DTLS handshake never completes and times out. Through experimenting I found out that the problem is with the patch for CVE-2014-3571 (0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch). If I rebuild the package without that patch the application starts connecting again. It also works with 1.0.1e-2+deb7u13. The libwebrtc code is quite massive, so it's difficult to make a reproducing code example. But the relevant bits are here, if you're interested: Certificate and identity creation: http://webrtc.googlecode.com/svn/branches/3.52/talk/base/opensslidentity.cc DTLS connection setup: http://webrtc.googlecode.com/svn/branches/3.52/talk/base/opensslstreamadapter.cc With the problematic openssl package the OpenSSLStreamAdapter::SSLVerifyCallback() function is never called (there is no "Accepted peer certificate." message in the log), and the stream adapter keeps printing " -- error want read" until timeout. -- System Information: Debian Release: 7.8 APT prefers stable APT policy: (400, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssl depends on: ii libc6 2.13-38+deb7u6 ii libssl1.0.0 1.0.1e-2+deb7u14 ii zlib1g 1:1.2.7.dfsg-13 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20130119+deb7u1 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
