Package: libssl0.9.8 Version: 0.9.8g-15.1 Severity: normal Tags: patch Please consider integrating the compatibility patches for Cisco VPN client DTLS support. These have been integrated into the upstream 0.9.8-stable branch and I've been using them locally for some time now. There are three relevant patches:
http://cvs.openssl.org/chngview?cn=17500 When the underlying BIO_write() fails to send a datagram, we leave the offending record queued as 'pending'. The DTLS code doesn't expect this, and we end up hitting an OPENSSL_assert() in do_dtls1_write(). The simple fix is just not to leave it queued. In DTLS, dropping packets is perfectly acceptable -- and even preferable. If we wanted a service with retries and guaranteed delivery, we'd be using TCP. http://cvs.openssl.org/chngview?cn=17505 Firstly, the bitmap we use for replay protection was ending up with zero length, so a single pair of packets getting switched around would cause one of them to be 'dropped'. Secondly, it wasn't even dropping the offending packets, in the non-blocking case. It was just returning garbage instead. http://cvs.openssl.org/chngview?cn=18037 Compatibility patches for Cisco VPN client DTLS. These patches are required for the openconnect package to have useful performance. -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libssl0.9.8 depends on: ii debconf [debconf-2.0] 1.5.25 Debian configuration management sy ii libc6 2.9-4 GNU C Library: Shared libraries ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime libssl0.9.8 recommends no packages. libssl0.9.8 suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
