[Pkg-openssl-devel] Bug#775502: Bug#775502: openssl: 1.0.1e-2+deb7u14 broke DTLS handshake with Chrome/Firefox
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 16 19:34:00 UTC 2015
Hi Kurt,
On Fri, Jan 16, 2015 at 06:43:36PM +0100, Kurt Roeckx wrote:
> On Fri, Jan 16, 2015 at 04:17:59PM +0300, Andrey Semashev wrote:
> > Package: openssl
> > Version: 1.0.1e-2+deb7u14
> > Severity: important
> >
> > Dear Maintainer,
> >
> > I have an application which uses libwebrtc to communicate with third party WebRTC clients, which are mostly Chrome and Firefox browsers.
> > libwebrtc used in my application is compiled with openssl support to implement DTLS encryption while Chrome and Firefox, I believe, use libnss.
> >
> > After the 1.0.1e-2+deb7u14 update my application fails to connect to the browsers. According to logs, DTLS handshake never completes and times out.
> >
> > Through experimenting I found out that the problem is with the patch for CVE-2014-3571 (0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch).
> > If I rebuild the package without that patch the application starts connecting again. It also works with 1.0.1e-2+deb7u13.
>
> There is an upstream bug report about the patch for CVE-2014-0206
> breaking it. Are you sure it's the right patch?
>
> The fix for that issue was to use SSL_CTX_set_read_ahead() setting
> it to 1. Can you check that fixes it for you?
Just to avoid confusion, I guess it is CVE-2015-0206, since
CVE-2014-0206 was for linux. Is it this bug you are refering to:
https://rt.openssl.org/Ticket/Display.html?id=3657
Regards,
Salvatore
More information about the Pkg-openssl-devel
mailing list