On Fri, Jan 16, 2015 at 04:17:59PM +0300, Andrey Semashev wrote: > Package: openssl > Version: 1.0.1e-2+deb7u14 > Severity: important > > Dear Maintainer, > > I have an application which uses libwebrtc to communicate with third party > WebRTC clients, which are mostly Chrome and Firefox browsers. > libwebrtc used in my application is compiled with openssl support to > implement DTLS encryption while Chrome and Firefox, I believe, use libnss. > > After the 1.0.1e-2+deb7u14 update my application fails to connect to the > browsers. According to logs, DTLS handshake never completes and times out. > > Through experimenting I found out that the problem is with the patch for > CVE-2014-3571 > (0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch). > If I rebuild the package without that patch the application starts connecting > again. It also works with 1.0.1e-2+deb7u13.
There is an upstream bug report about the patch for CVE-2014-0206 breaking it. Are you sure it's the right patch? The fix for that issue was to use SSL_CTX_set_read_ahead() setting it to 1. Can you check that fixes it for you? Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
