[asterisk-bugs] [JIRA] (ASTERISK-24711) DTLS handshake broken with latest OpenSSL versions

Jared Biel (JIRA) noreply at issues.asterisk.org
Wed Jan 28 16:20:34 CST 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=224657#comment-224657 ] 

Jared Biel edited comment on ASTERISK-24711 at 1/28/15 4:19 PM:
----------------------------------------------------------------

There have been commits against openssl that fix this issue (see [originally linked openssl rt ticket|http://rt.openssl.org/Ticket/Display.html?id=3657] for more details.) However, I'm unsure if these fixes are going to be considered for inclusion in the next round of security/regression fixes for every distribution ([debian discussion|https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775502].)


was (Author: jared.biel at bolderthinking.com):
There have been commits against openssl that fix this issue (see [originally linked openssl rt ticket|http://rt.openssl.org/Ticket/Display.html?id=3657] for more details.) However, I'm unsure if these fixes are going to be considered for inclusion in the next round of security/regression fixes ([debian discussion|https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775502].)

> DTLS handshake broken with latest OpenSSL versions
> --------------------------------------------------
>
>                 Key: ASTERISK-24711
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24711
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>    Affects Versions: 13.1.0
>            Reporter: Jared Biel
>            Assignee: Joshua Colp
>
> The latest versions of OpenSSL recently cleaned up some DTLS vulnerabilities and one of them (I believe it's CVE-2015-0206) caused RTP DTLS handshakes to stop working. This means that all WebRTC calls fail to negotiate audio. I came across this issue using a fully updated Ubuntu 14.04 server running OpenSSL 1.0.1f-1ubuntu2.8 and Asterisk 13.1.0.
> Upstream report: http://rt.openssl.org/Ticket/Display.html?id=3657
> The one-line workaround mentioned in the ticket worked for me. Patch:
> \[mjordan\]: Code redacted.
> *NOTE*:
> Unfortunately, we cannot accept even one-line patches in comment. If you'd like to contribute this patch to Asterisk, please sign a license contributor agreement and attach the patch in unified diff format.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list