[Pkg-openssl-devel] Bug#775502: openssl: 1.0.1e-2+deb7u14 broke DTLS handshake with Chrome/Firefox

Andrey Semashev andysem at mail.ru
Fri Jan 16 13:17:59 UTC 2015 

Package: openssl
Version: 1.0.1e-2+deb7u14
Severity: important

Dear Maintainer,

I have an application which uses libwebrtc to communicate with third party WebRTC clients, which are mostly Chrome and Firefox browsers.
libwebrtc used in my application is compiled with openssl support to implement DTLS encryption while Chrome and Firefox, I believe, use libnss.

After the 1.0.1e-2+deb7u14 update my application fails to connect to the browsers. According to logs, DTLS handshake never completes and times out.

Through experimenting I found out that the problem is with the patch for CVE-2014-3571 (0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch).
If I rebuild the package without that patch the application starts connecting again. It also works with 1.0.1e-2+deb7u13.

The libwebrtc code is quite massive, so it's difficult to make a reproducing code example. But the relevant bits are here, if you're interested:

Certificate and identity creation: http://webrtc.googlecode.com/svn/branches/3.52/talk/base/opensslidentity.cc
DTLS connection setup: http://webrtc.googlecode.com/svn/branches/3.52/talk/base/opensslstreamadapter.cc

With the problematic openssl package the OpenSSLStreamAdapter::SSLVerifyCallback() function is never called (there is no "Accepted peer certificate."
message in the log), and the stream adapter keeps printing " -- error want read" until timeout.

-- System Information:
Debian Release: 7.8
  APT prefers stable
  APT policy: (400, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii  libc6        2.13-38+deb7u6
ii  libssl1.0.0  1.0.1e-2+deb7u14
ii  zlib1g       1:1.2.7.dfsg-13

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20130119+deb7u1

-- no debconf information

More information about the Pkg-openssl-devel mailing list