[openssl-dev] OpenSSL HEAD breaks OpenConnect VPN client
Matt Caswell
matt at openssl.org
Mon Feb 16 13:25:08 UTC 2015
On 16/02/15 12:45, David Woodhouse wrote:
> The Cisco AnyConnect VPN protocol establishes a connection over HTTPS
> and negotiates parameters (cipher, master secret & session ID) for a
> DTLS connection which is then "resumed".
>
> The OpenConnect VPN client handles this by using SSL_SESSION_new(),
> manually setting the appropriate fields in the structure, and then using
> SSL_set_session(). This code can be seen at
> http://git.infradead.org/users/dwmw2/openconnect.git/blob/fa5cea08:/dtls.c#l147
>
> Commit b6ba401497 in OpenSSL broke this, because the SSL_SESSION became
> opaque — with no alternative method that I can see to do what's needed.
>
> I played with manually creating the ASN.1 representation of a session
> and feeding it to d2i_SSL_SESSION() but that fails because ssl_version
> is 0x100 (DTLS1_BAD_VER) and d2i_SSL_SESSION() only works if the SSL
> version major is >= SSL3_VERSION_MAJOR.
That sounds like a bug. I can't think of a reason why this should
exclude DTLS.
>
> So I'm going to need to fix *something* in OpenSSL HEAD to make this
> work again. Should I do the minimal "fix" to make d2i_SSL_SESSION() work
> for DTLS1_BAD_VER, or introduce a new API for setting the fields we need
> to fake a session resume?
>
What fields do you need access to? It would be good if you could
document them on the wiki page here:
https://wiki.openssl.org/index.php/1.1_API_Changes
Send an email to wiki-admin at opensslfoundation.com with your preferred
username and I can set you up with access.
Matt
More information about the openssl-dev
mailing list