[openssl-dev] OpenSSL HEAD breaks OpenConnect VPN client
David Woodhouse
dwmw2 at infradead.org
Mon Feb 16 17:33:15 UTC 2015
On Mon, 2015-02-16 at 13:25 +0000, Matt Caswell wrote:
> That sounds like a bug. I can't think of a reason why this should
> exclude DTLS.
This fixes it to work with DTLS1_BAD_VER too:
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 3eaee1d..6e20a1f 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -396,7 +396,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
os.data = NULL;
os.length = 0;
M_ASN1_D2I_get_x(ASN1_OCTET_STRING, osp, d2i_ASN1_OCTET_STRING);
- if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR) {
+ if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR ||
+ ssl_version == DTLS1_BAD_VER) {
if (os.length != 2) {
c.error = SSL_R_CIPHER_CODE_WRONG_LENGTH;
c.line = __LINE__;
> > So I'm going to need to fix *something* in OpenSSL HEAD to make this
> > work again. Should I do the minimal "fix" to make d2i_SSL_SESSION() work
> > for DTLS1_BAD_VER, or introduce a new API for setting the fields we need
> > to fake a session resume?
> >
>
> What fields do you need access to? It would be good if you could
> document them on the wiki page here:
> https://wiki.openssl.org/index.php/1.1_API_Changes
I've updated
https://wiki.openssl.org/index.php/1.1_API_Changes#Things_that_Broke_in_OpenConnect
I can either update my code to create the ASN.1 for itself and use
d2i_SSL_SESSION() relying on the patch above, or I can implement the
'alternative' new function if that's preferred.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150216/a175c960/attachment-0001.bin>
More information about the openssl-dev
mailing list