DTLS failure with OpenSSL 1.0.1e, works in 1.0.1c

Bernhard Schmidt berni at birkenwald.de
Wed Mar 6 09:52:13 EST 2013 

Am 06.03.2013 15:50, schrieb Bernhard Schmidt:

Ah, and here we have the correct one.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701826

That one has been fixed upstream after the 1.0.1e release:
commit 9fe4603b8245425a4c46986ed000fca054231253
Author: David Woodhouse <dwmw2 at infradead.org>
Date:   Tue Feb 12 14:55:32 2013 +0000

    Check DTLS_BAD_VER for version number.

    The version check for DTLS1_VERSION was redundant as
    DTLS1_VERSION > TLS1_1_VERSION, however we do need to
    check for DTLS1_BAD_VER for compatibility.

    PR:2984
    (cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)


Wonder why I did not find that before reporting the problem :-(

> FWIW, this sounds similar to
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701868
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1133333
> 
> which is also a regression from 1.0.1c to 1.0.1e, but the processor I
> have is definitely not AES-NI capable and the workaround described in
> the bugreport does not fix it.
> 
> 
>> Hello,
>>
>> both openconnect 3.20 and 4.99 from Debian (Wheezy/Experimental) fail
>> DTLS when libssl has been upgraded to version 1.0.1e. Both work just
>> fine when libssl is downgraded to 1.0.1c (the previous version).
>>
>> libssl 1.0.1c:
>> Connected tun0 as 129.187.49.1 + 2001:4ca0:0:f03a::1, using SSL
>> Established DTLS connection (using OpenSSL)
>>
>> libssl 1.0.1e:
>> Connected tun0 as 129.187.49.3 + 2001:4ca0:0:f03a::3, using SSL
>> DTLS handshake failed: 2
>> DTLS handshake failed: 1
>> 140659643750056:error:14102410:SSL routines:DTLS1_READ_BYTES:sslv3 alert
>> handshake failure:d1_pkt.c:1166:SSL alert number 40
>>
>> The problem can be consistently reproduced by just upgrading libssl.
>>
>> A colleague has the same problem with the same workaround on MacOS X
>> with MacPorts, so this is most likely an upstream issue.
>>
>> Is this a known issue? Any idea how to work around?
>>
>> Bernhard
>>
>> _______________________________________________
>> openconnect-devel mailing list
>> openconnect-devel at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/openconnect-devel
> 
> 
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/openconnect-devel

More information about the openconnect-devel mailing list