Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 280370 - [patch] openssl-0.9.8k: OpenSSL/DTLS compatibility with Cisco AnyConnect VPN server
Summary: [patch] openssl-0.9.8k: OpenSSL/DTLS compatibility with Cisco AnyConnect VPN ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo's Team for Core System packages
URL: http://www.infradead.org/openconnect....
Whiteboard:
Keywords:
Depends on:
Blocks: 263097
  Show dependency tree
 
Reported: 2009-08-04 21:24 UTC by Adam Piątyszek
Modified: 2009-11-21 03:09 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Piątyszek 2009-08-04 21:24:12 UTC
I would like to request the inclusion of the following patch to the openssl-0.9.8k ebuild:
http://cvs.openssl.org/chngview?cn=18037 (OpenSSL RT#1751 http://rt.openssl.org/Ticket/Display.html?id=1751&user=guest&pass=guest)

This patch is necessary to make the openconnect (bug #263097; http://www.infradead.org/openconnect.html) VPN client software work using DTLS protocol.

The Cisco AnyConnect SSL VPN technology uses an old version of OpenSSL for their server, which predates the official RFC and has a few differences in the implementation of DTLS. Compatibility support for their "speshul" version of the protocol was introduced into OpenSSL after the 0.9.8k release.

Fedora has already included this patch in its openssl RPM package. Debian has a separate bug report for this:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524982
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2009-08-05 00:37:58 UTC
Seems like a reasonable inclusion to me assuming we're going to stick with the OpenSSL 0.9.8 series for a while in Gentoo and we'll probably only see security updates for that series.
Comment 2 Adam Piątyszek 2009-10-09 19:51:49 UTC
(In reply to comment #1)
> Seems like a reasonable inclusion to me assuming we're going to stick with the
> OpenSSL 0.9.8 series for a while in Gentoo and we'll probably only see security
> updates for that series.

Any chances to get into this bug report and add the patch to openssl in Gentoo portage?

Comment 3 SpanKY gentoo-dev 2009-11-05 20:04:43 UTC
this should be in 0.9.8l which is in the tree now
Comment 4 Adam Piątyszek 2009-11-08 18:17:32 UTC
The 0.9.8l release does not include the required patch. The author of openconnect just confirmed this on the openconnect mailing list:

====8<====
It was a panic release for a protocol vulnerability. It's 0.9.8k with
only one patch -- to disable renegotiation. All the other changes which
were committed since 0.9.8k, including the Cisco DTLS compatibility, are
now destined for 0.9.8m. Or 0.9.8n, if 0.9.8m turns out to be a slightly
more well-thought-out response to the protocol problem.
====8<====

Could you please reconsider adding this patch to the openssl in the portage tree?

Thanks,
/Adam
Comment 5 SpanKY gentoo-dev 2009-11-21 03:09:44 UTC
it's in 0.9.8l-r1