[Pkg-openssl-devel] Bug#664454: [openssl] debian openssl's behavior is different than original

[Nikos Mavrogiannopoulos]

Package: openssl
Version: 1.0.0h-1
Severity: important

--- Please enter the report below this line. ---

The debian distributed openssl negotiated SSL 3.0 if TLS 1.2 is offered
while the original openssl 1.0.0h negotiates TLS 1.0 if offered the same
client hello. This is a really weird difference.

To reproduce:
/usr/bin/openssl s_server -cert x509/cert-rsa.pem -key x509/key-rsa.pem
 -port 5556
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

$ ./gnutls-cli localhost -p 5556 --insecure --priority PERFORMANCE
...
- Version: SSL3.0
...

and the original behavior:
$ /home/nmav/cvs/openssl-1.0.0h/apps/openssl s_server -cert
x509/cert-rsa.pem -key x509/key-rsa.pem  -port 5556
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

$ ./gnutls-cli localhost -p 5556 --insecure --priority PERFORMANCE
...
- Version: TLS1.0
...



--- System information. ---
Architecture: amd64
Kernel:       Linux 3.0.0-1-amd64

Debian Release: wheezy/sid
  500 testing         ftp.be.debian.org
  500 stable          ftp.be.debian.org

--- Package information. ---
Depends            (Version) | Installed
============================-+-=============
libc6               (>= 2.7) | 2.13-27
libssl1.0.0       (>= 1.0.0) | 1.0.0h-1
zlib1g          (>= 1:1.1.4) | 1:1.2.6.dfsg-2


Package's Recommends field is empty.

Suggests             (Version) | Installed
==============================-+-===========
ca-certificates                | 20120212