[Pkg-openssl-devel] Bug#524982: Integrate compatibility patches for Cisco VPN client DTLS

Ross Burton ross at debian.org
Tue Apr 21 10:12:10 UTC 2009 

Package: libssl0.9.8
Version: 0.9.8g-15.1
Severity: normal
Tags: patch

Please consider integrating the compatibility patches for Cisco VPN client DTLS
support.  These have been integrated into the upstream 0.9.8-stable branch and
I've been using them locally for some time now.  There are three relevant patches:

http://cvs.openssl.org/chngview?cn=17500

When the underlying BIO_write() fails to send a datagram, we leave the offending
record queued as 'pending'. The DTLS code doesn't expect this, and we end up
hitting an OPENSSL_assert() in do_dtls1_write(). The simple fix is just not to
leave it queued. In DTLS, dropping packets is perfectly acceptable -- and even
preferable. If we wanted a service with retries and guaranteed delivery, we'd be
using TCP.


http://cvs.openssl.org/chngview?cn=17505

Firstly, the bitmap we use for replay protection was ending up with zero length,
so a single pair of packets getting switched around would cause one of them to
be 'dropped'. Secondly, it wasn't even dropping the offending packets, in the
non-blocking case. It was just returning garbage instead.

http://cvs.openssl.org/chngview?cn=18037

Compatibility patches for Cisco VPN client DTLS.

These patches are required for the openconnect package to have useful
performance.

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libssl0.9.8 depends on:
ii  debconf [debconf-2.0]  1.5.25            Debian configuration management sy
ii  libc6                  2.9-4             GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

libssl0.9.8 recommends no packages.

libssl0.9.8 suggests no packages.

-- debconf information excluded

More information about the Pkg-openssl-devel mailing list