[openssl-dev] OpenSSL HEAD breaks OpenConnect VPN client
David Woodhouse
dwmw2 at infradead.org
Mon Feb 16 14:16:15 UTC 2015
>> I played with manually creating the ASN.1 representation of a session
>> and feeding it to d2i_SSL_SESSION() but that fails because ssl_version
>> is 0x100 (DTLS1_BAD_VER) and d2i_SSL_SESSION() only works if the SSL
>> version major is >= SSL3_VERSION_MAJOR.
>
> That sounds like a bug. I can't think of a reason why this should
> exclude DTLS.
Note it accepts DTLS, just not Cisco's DTLS1_BAD_VER abomination.
>>
>> So I'm going to need to fix *something* in OpenSSL HEAD to make this
>> work again. Should I do the minimal "fix" to make d2i_SSL_SESSION() work
>> for DTLS1_BAD_VER, or introduce a new API for setting the fields we need
>> to fake a session resume?
>>
>
> What fields do you need access to?
Basically just SSL version, cipher, master secret and session ID. Enough
to fake "resuming" a session that never really existed.
--
dwmw2
More information about the openssl-dev
mailing list