Bug 1354588

Summary: Handling of DTLS1_BAD_VER Change Cipher Spec message is broken
Product: [Fedora] Fedora Reporter: David Woodhouse <dwmw2>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-1.0.2h-3.fc24 openssl-1.0.2h-3.fc23 openssl-1.0.2h-3.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-11 21:52:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Woodhouse 2016-07-11 16:05:19 UTC 
https://github.com/openssl/openssl/commit/b3a62dc03 broke Cisco-compatible DTLS support, because SSL_export_keying_material() fails there so we bail out.

It shouldn't fail. Fixed in https://github.com/openssl/openssl/pull/1296 (specifically https://github.com/openssl/openssl/pull/1296/commits/80fe195bee )
Comment 1 David Woodhouse 2016-07-26 12:26:43 UTC 
RT#4631 filed for 1.0.2:
 http://rt.openssl.org/Ticket/Display.html?id=4631
Comment 2 David Woodhouse 2016-08-10 10:16:30 UTC 
https://github.com/openssl/openssl/pull/1387 — of which all you *really* need is the first commit 'Fix SSL_export_keying_material() for DTLS1_BAD_VER', which is a cherry-pick of this commit in HEAD/1.1:
https://github.com/openssl/openssl/commit/c8a18468c
Comment 3 Fedora Update System 2016-08-10 16:10:12 UTC 
openssl-1.0.2h-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9f2cc51db7
Comment 4 Fedora Update System 2016-08-10 16:10:20 UTC 
openssl-1.0.2h-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9de3f61786
Comment 5 Fedora Update System 2016-08-10 16:10:25 UTC 
openssl-1.0.2h-3.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2193f6d63c
Comment 6 Fedora Update System 2016-08-10 18:54:25 UTC 
openssl-1.0.2h-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9f2cc51db7
Comment 7 Fedora Update System 2016-08-10 19:52:27 UTC 
openssl-1.0.2h-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9de3f61786
Comment 8 Fedora Update System 2016-08-11 03:23:32 UTC 
openssl-1.0.2h-3.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2193f6d63c
Comment 9 Fedora Update System 2016-08-11 21:52:50 UTC 
openssl-1.0.2h-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2016-08-25 16:19:54 UTC 
openssl-1.0.2h-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-08-27 10:43:06 UTC 
openssl-1.0.2h-3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.