[Pkg-openssl-devel] Bug#338006: libssl0.9.8: bad record mac because
of wrong SSL_OP_TLS_BLOCK_PADDING_BUG handling
Mikael Magnusson
mikma at users.sourceforge.net
Mon Nov 7 19:23:55 UTC 2005
Package: libssl0.9.8
Version: 0.9.8a-3
Severity: important
Use of SSL_OP_TLS_BLOCK_PADDING_BUG, which is included in SSL_OP_ALL,
triggers a bug in OpenSSL if both the client and server is using version 0.9.8.
Upstream bug report:
http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1204
The bug can be demonstrated with the following execution of s_server and
s_client.
Server:
# openssl s_server -accept 5061 -cert /etc/apache/ssl.crt/snakeoil-dsa.crt -key /etc/apache/ssl.key/snakeoil-dsa.key -CAfile /etc/apache/ssl.crt/snakeoil-ca-dsa.crt -no_ssl2
Client:
$ openssl s_client -connect skinner:5061 -no_ssl2 -bugs
CONNECTED(00000003)
depth=1 /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority (DSA)/CN=Snake Oil CA/emailAddress=ca at snakeoil.dom
verify error:num=19:self signed certificate in certificate chain
verify return:0
29985:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:426:
Sometimes the connection succeeds, but it fails most of the times.
Regards,
Mikael
-- System Information:
Debian Release: testing/unstable
APT prefers stable
APT policy: (871, 'stable'), (50, 'testing'), (30, 'unstable'), (10, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11-vserver-k7
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Versions of packages libssl0.9.8 depends on:
ii debconf [debconf-2.0] 1.4.57 Debian configuration management sy
ii libc6 2.3.5-7 GNU C Library: Shared libraries an
ii zlib1g 1:1.2.3-6 compression library - runtime
libssl0.9.8 recommends no packages.
-- debconf information:
libssl0.9.8/restart-services:
More information about the Pkg-openssl-devel
mailing list