[openssl.org #1703] Bug report for DTLS - Openssl

This is a discussion on [openssl.org #1703] Bug report for DTLS - Openssl ; I have applied the patch to 0.9.8-stable and adopted it to 0.9.9-dev. I am not very familiar with the DTLS implementation so hopefully I did not break it. Best regards, Lutz __________________________________________________ ____________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: [openssl.org #1703] Bug report for DTLS

  1. [openssl.org #1703] Bug report for DTLS

    I have applied the patch to 0.9.8-stable and adopted it to 0.9.9-dev. I
    am not very familiar with the DTLS implementation so hopefully I did not
    break it.

    Best regards,
    Lutz
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: [openssl.org #1703] Bug report for DTLS

    On Fri, 2008-10-10 at 12:42 +0200, Lutz Jaenicke via RT wrote:
    > I have applied the patch to 0.9.8-stable and adopted it to 0.9.9-dev. I
    > am not very familiar with the DTLS implementation so hopefully I did not
    > break it.


    Thanks. Sorry to be impatient. I've got myself onto a team tasked with
    implementing supporting for Linux connectivity to the company VPN, and
    I'm very keep to avoid them settling on Cisco's client, which has some
    fairly scary security holes as well as just integrating properly with
    the desktop or being supportable, etc.

    I'm trying to present the open client which I've now written as a fait
    accompili -- and aside from the OpenSSL part, I'm fairly much there. We
    have packages for 'openconnect' and 'NetworkManager-openconnect' on the
    way through the Fedora review process and we're about to get other
    people to do the same for other distributions... all we need now is to
    get the distributions' OpenSSL packages updated so that DTLS works and
    we're not using TCP over TCP. And understandably, distributions want to
    see the patches upstream before they ship them. Especially with one with
    the extra option for Cisco compatibility.

    --
    dwmw2


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org


  3. [openssl.org #1703] Bug report for DTLS

    > [jaenicke - Fri Oct 10 12:42:51 2008]:
    >
    > I have applied the patch to 0.9.8-stable and adopted it to 0.9.9-dev. I
    > am not very familiar with the DTLS implementation so hopefully I did not
    > break it.


    Note: I have reverted the DTLS1_BAD_VER part as DTLS1_BAD_VER handling
    is not
    present in HEAD (0.9.9).

    Best regards,
    Lutz

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org


  4. Re: [openssl.org #1703] Bug report for DTLS

    On Mon, 2008-10-13 at 09:01 +0200, Lutz Jaenicke via RT wrote:
    > Note: I have reverted the DTLS1_BAD_VER part as DTLS1_BAD_VER handling
    > is not present in HEAD (0.9.9).


    That makes sense.

    I assume that DTLS1_BAD_VER handling wasn't added to HEAD because the
    pre-RFC version of DTLS was considered to be an OpenSSL-specific thing
    that would quickly die out as people upgraded to 0.9.8f and beyond?

    Now we've observed that there are servers in the wild which implement
    that old OpenSSL-specific version of the protocol, but which we'd like
    to be compatible with. If I can actually get that working in HEAD, would
    a patch to support it be acceptable?

    --
    dwmw2

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org


  5. Re: [openssl.org #1703] Bug report for DTLS

    David Woodhouse wrote:
    > On Mon, 2008-10-13 at 09:01 +0200, Lutz Jaenicke via RT wrote:
    >
    >> Note: I have reverted the DTLS1_BAD_VER part as DTLS1_BAD_VER handling
    >> is not present in HEAD (0.9.9).
    >>

    >
    > That makes sense.
    >
    > I assume that DTLS1_BAD_VER handling wasn't added to HEAD because the
    > pre-RFC version of DTLS was considered to be an OpenSSL-specific thing
    > that would quickly die out as people upgraded to 0.9.8f and beyond?
    >
    > Now we've observed that there are servers in the wild which implement
    > that old OpenSSL-specific version of the protocol, but which we'd like
    > to be compatible with. If I can actually get that working in HEAD, would
    > a patch to support it be acceptable?
    >

    I had a deeper look into the mailing list archive and I did not find
    any explicit statement on why this was handed differently in 0.9.8
    and in HEAD.
    Finally we would of course prefer to move people to update to an
    RFC compliant version, so I guess the pre-RFC support should be
    configurable somehow. Andy, what do you think?

    Best regards,
    Lutz

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org


  6. Re: [openssl.org #1703] Bug report for DTLS

    >>> Note: I have reverted the DTLS1_BAD_VER part as DTLS1_BAD_VER handling
    >>> is not present in HEAD (0.9.9).
    >>>

    >> That makes sense.
    >>
    >> I assume that DTLS1_BAD_VER handling wasn't added to HEAD because the
    >> pre-RFC version of DTLS was considered to be an OpenSSL-specific thing
    >> that would quickly die out as people upgraded to 0.9.8f and beyond?


    Right.

    >> Now we've observed that there are servers in the wild which implement
    >> that old OpenSSL-specific version of the protocol, but which we'd like
    >> to be compatible with.


    Could you clarify? Haven't you mentioned that it's about Cisco
    AnyConnect VPN? Isn't it OpenSSL-based? If it's pre-0.9.8f-based, then
    shouldn't you question if it's appropriate to use it at all because of
    security problems? If it's post-0.9.8f-based, what's the problem?
    Haven't you mentioned that it too accepts non-BAD_VER connections? If
    it's not 0.9.8f, then we have to assume they patch it themselves.
    Wouldn't it be reasonable to assume that their REAL_VER is
    RFC-compliant? If it doesn't inter-operate, wouldn't it be more
    appropriate to devote effort to figure out why? And if it turns out that
    their REAL_VER is not RFC-compliant, then why did they choose REAL_VER
    and not VENDOR_VER? In other words, can you remind the reason for
    re-introducing BAD_DTLS:-) Even in worst case is DTLS the only option in
    AnyConnect? I mean if it doesn't work, why not use TLS [till DTLS is
    fixed to be RFC-compliant]?

    >> If I can actually get that working in HEAD, would
    >> a patch to support it be acceptable?
    >>

    > I had a deeper look into the mailing list archive and I did not find
    > any explicit statement on why this was handed differently in 0.9.8
    > and in HEAD.
    > Finally we would of course prefer to move people to update to an
    > RFC compliant version, so I guess the pre-RFC support should be
    > configurable somehow. Andy, what do you think?


    My vote still goes for *not* implementing BAD_VER in HEAD.

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread