[Pkg-openssl-devel] Bug#439737: DTLS implementation in OpenSSL is buggy
Juliusz Chroboczek
Juliusz.Chroboczek at pps.jussieu.fr
Mon Aug 27 02:22:49 UTC 2007
Package: openssl
Version: 0.9.8e-5
Severity: important
Tags: security
The DTLS implementation included in OpenSSL 0.9.8 is known to be
buggy. See for example
http://www.mail-archive.com/openssl-dev@openssl.org/msg21313.html
http://rt.openssl.org/Ticket/Display.html?id=1245&user=guest&pass=guest
I believe that in its current state it does not qualify as an
implementation of RFC 4507. What is worse, nothing is known about its
security features.
Including DTLS in the Debian version of OpenSSL might mislead
programmers into believing it is a secure choice, as it almost did
mislead me. I would therefore like to suggest that the Debian version
of OpenSSL should compile-out the DTLS code, or at the very least
include a big, fat warning in the documentation.
Juliusz
More information about the Pkg-openssl-devel
mailing list