Bug#338006: [Pkg-openssl-devel] Bug#338006: libssl0.9.8: bad record mac because of wrong SSL_OP_TLS_BLOCK_PADDING_BUG handling - possible workaround

[Steve Langasek]

On Sun, Jan 15, 2006 at 10:38:16PM +0100, Kurt Roeckx wrote:
> On Sun, Jan 15, 2006 at 05:15:20PM +0100, Kurt Roeckx wrote:
> > To quote a part from that email:
> > > You were right. If I change:
> > > no-idea no-rc5 shared

> > > to:
> > > zlib no-idea no-rc5 shared

> > > and rebuild, cyrus-imapd gives me that "bad record mac" error with the
> > > resulting openssl. Removing "zlib" makes it go away.

> > So it seem we have 2 things that conflict here.  If we have zlib,
> > it breaks applications, if we don't, it breaks others.

> I should correct myself.  We have 3 options for zlib:
> - no-zlib
> - zlib
> - zlib-dynamic

> Package breaks if we use zlib-dynamic and zlib1-dev is not
> installed, which is why we used zlib instead.

Fix zlib-dynamic to use /usr/lib/libz.so.1 properly instead of
/usr/lib/libz.so?

> Build with any of those options it fails with the "decryption failed or
> bad record mac" error.

"any of those options" means all of no-zlib, zlib, and zlib-dynamic?

> If either the server or the client do not support zlib, things
> work.

> And it seems that the 0.9.7 server doesn't use zlib, even though
> it was build with zlib support.

> I'm still not sure if this is a bug in the server or the client.

So what breaks if using no-zlib?  You said "it breaks other [applications];
which ones and how?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20060115/e3b63d64/attachment-0001.pgp