On Fri, Mar 01, 2013 at 09:32:21PM +0100, Andy Polyakov via RT wrote: > Hi, > > >>>> I've been getting reports from users who see issues with openssl > >>>> after the upgrade from 1.0.1c to 1.0.1e > >>>> > >>>> See: > >>>> http://bugs.debian.org/678353#10 > >>> I tried on my Intel Core i7-3770S with 1.0.1e connecting to his > >>> mail server and was unable to reproduce with the stock 1.0.1e > >>> I built. > >>> > >> I got an other bug report now: > >> http://bugs.debian.org/701868 > >> > >> Both user report that using OPENSSL_ia32cap=~0x200000200000000 > >> fixes there problem. > > > > And I've also been pointed to: > > http://forums.otterhub.org/viewtopic.php?f=62&t=18941 > > > > It seems various users are affected by this. > > There are seem to be several problems... As for AES-NI you seem have > missed fix for zero-length TLS fragments, > http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc90e42c8623af13308d8ef7e7ada84af0a36509. > > I mean I've 'apt-get source openssl' on a Ubuntu machine, applied your > CVE-2013-0169.patch manually and there is no NO_PAYLOAD_LENGTH... This > means that if AES-NI enabled machine talks to server that support > zero-length countermeasure, you are in trouble.
I don't have anything to do with the Ubuntu upload. The Debian package is a real 1.0.1e version, not a backport of patches, that does have that patch applied. > As for myrta.com:443, the problem is not specific to AES-NI as it > persists even with -cipher RC4-SHA. Looking further into it... Yes, I said that that message was unrelated, it also affects 1.0.1c and it goes away when you use -no_tls1_1. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
