[Pkg-openssl-devel] Bug#701826: Bug#701826: libssl1.0.0: "handshake failure" messages with openconnect
Kurt Roeckx
kurt at roeckx.be
Thu Feb 28 17:24:24 UTC 2013
On Wed, Feb 27, 2013 at 11:07:33AM -0500, Ray Kohler wrote:
> Package: libssl1.0.0
> Version: 1.0.1e-1
> Severity: normal
>
> After upgrading libssl1.0.0 from 1.0.1c-4 to 1.0.1e-1, using the
> openconnect VPN client (version 3.20-3, both before and after the
> openssl upgrade) produces many of these messages, about one pair per
> minute:
>
> Feb 27 09:08:52 asenath openconnect[4692]: DTLS handshake failed: 1
> Feb 27 09:08:52 asenath openconnect[4692]: 140011978094248:error:14102410:SSL routines:DTLS1_READ_BYTES:sslv3 alert handshake failure:d1_pkt.c:1166:SSL alert number 40
>
> Within the first minute after starting openconnect, I also see one like
> this, which doesn't recur:
>
> Feb 27 09:07:50 asenath openconnect[4692]: DTLS handshake failed: 2
>
> None of these appeared before this upgrade.
>
> I don't see any impact on openconnect's actual functionality, so it
> appears to retry in some manner more acceptable to openssl.
>
> It is, of course, possible that the openssl change is perfectly correct,
> and that this bug should be reassigned to openconnect for a
> "compatibility catch-up" change.
That one has been fixed upstream after the 1.0.1e release:
commit 9fe4603b8245425a4c46986ed000fca054231253
Author: David Woodhouse <dwmw2 at infradead.org>
Date: Tue Feb 12 14:55:32 2013 +0000
Check DTLS_BAD_VER for version number.
The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.
PR:2984
(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
Kurt
More information about the Pkg-openssl-devel
mailing list