[openssl-dev] [openssl.org #3704] OpenSSL HEAD breaks OpenConnect VPN client

David Woodhouse via RT rt at openssl.org
Tue Feb 17 21:48:45 UTC 2015


The Cisco AnyConnect VPN protocol establishes a connection over HTTPS
and negotiates parameters (cipher, master secret & session ID) for a
DTLS connection which is then "resumed".

The OpenConnect VPN client handles this by using SSL_SESSION_new(),
manually setting the appropriate fields in the structure, and then using
SSL_set_session(). This code can be seen at
http://git.infradead.org/users/dwmw2/openconnect.git/blob/fa5cea08:/dtls.c#l147

Commit b6ba401497 in OpenSSL broke this, because the SSL_SESSION became
opaque — with no alternative method that I can see to do what's needed.

I played with manually creating the ASN.1 representation of a session
and feeding it to d2i_SSL_SESSION() but that fails because ssl_version
is 0x100 (DTLS1_BAD_VER) and d2i_SSL_SESSION() only works if the SSL
version major is >= SSL3_VERSION_MAJOR.

So I'm going to need to fix *something* in OpenSSL HEAD to make this
work again. Should I do the minimal "fix" to make d2i_SSL_SESSION() work
for DTLS1_BAD_VER, or introduce a new API for setting the fields we need
to fake a session resume?

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150217/c4dcb2a7/attachment-0001.bin>


More information about the openssl-dev mailing list