Hi, >>>> I've been getting reports from users who see issues with openssl >>>> after the upgrade from 1.0.1c to 1.0.1e >>>> >>>> See: >>>> http://bugs.debian.org/678353#10 >>> I tried on my Intel Core i7-3770S with 1.0.1e connecting to his >>> mail server and was unable to reproduce with the stock 1.0.1e >>> I built. >>> >> I got an other bug report now: >> http://bugs.debian.org/701868 >> >> Both user report that using OPENSSL_ia32cap=~0x200000200000000 >> fixes there problem. > > And I've also been pointed to: > http://forums.otterhub.org/viewtopic.php?f=62&t=18941 > > It seems various users are affected by this.
There are seem to be several problems... As for AES-NI you seem have missed fix for zero-length TLS fragments, http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc90e42c8623af13308d8ef7e7ada84af0a36509. I mean I've 'apt-get source openssl' on a Ubuntu machine, applied your CVE-2013-0169.patch manually and there is no NO_PAYLOAD_LENGTH... This means that if AES-NI enabled machine talks to server that support zero-length countermeasure, you are in trouble. As for myrta.com:443, the problem is not specific to AES-NI as it persists even with -cipher RC4-SHA. Looking further into it... ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
