I would like to request the inclusion of the following patch to the openssl-0.9.8k ebuild: http://cvs.openssl.org/chngview?cn=18037 (OpenSSL RT#1751 http://rt.openssl.org/Ticket/Display.html?id=1751&user=guest&pass=guest) This patch is necessary to make the openconnect (bug #263097; http://www.infradead.org/openconnect.html) VPN client software work using DTLS protocol. The Cisco AnyConnect SSL VPN technology uses an old version of OpenSSL for their server, which predates the official RFC and has a few differences in the implementation of DTLS. Compatibility support for their "speshul" version of the protocol was introduced into OpenSSL after the 0.9.8k release. Fedora has already included this patch in its openssl RPM package. Debian has a separate bug report for this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524982
Seems like a reasonable inclusion to me assuming we're going to stick with the OpenSSL 0.9.8 series for a while in Gentoo and we'll probably only see security updates for that series.
(In reply to comment #1) > Seems like a reasonable inclusion to me assuming we're going to stick with the > OpenSSL 0.9.8 series for a while in Gentoo and we'll probably only see security > updates for that series. Any chances to get into this bug report and add the patch to openssl in Gentoo portage?
this should be in 0.9.8l which is in the tree now
The 0.9.8l release does not include the required patch. The author of openconnect just confirmed this on the openconnect mailing list: ====8<==== It was a panic release for a protocol vulnerability. It's 0.9.8k with only one patch -- to disable renegotiation. All the other changes which were committed since 0.9.8k, including the Cisco DTLS compatibility, are now destined for 0.9.8m. Or 0.9.8n, if 0.9.8m turns out to be a slightly more well-thought-out response to the protocol problem. ====8<==== Could you please reconsider adding this patch to the openssl in the portage tree? Thanks, /Adam
it's in 0.9.8l-r1