[openssl-dev] [openssl.org #3711] [RFC PATCH] 1.0.2 regresssion: Wrong SSL version in DTLS_BAD_VER ClientHello
David Woodhouse via RT
rt at openssl.org
Wed Feb 18 08:01:29 UTC 2015
Since commit 741c9959 ("DTLS revision."), we put the wrong protocol
version into our ClientHello and potentially other packets. The old DTLS
code which used ssl->version was replaced by the more generic SSL3 code
which uses ssl->client_version. The Cisco ASA no longer likes our
ClientHello.
A patch which fixes this is below. I think it's correct not to set
s->client_version in any of the other adjacent cases, as it would be
redundant. In the s->method->version==DTLS_ANY_VERSION case seen in the
context of the patch, we know that s->client_version is going to be set
in ssl3_client_hello(). And in the 'else' case that is just off the end
of the context of the patch, we're setting it to s->method->version
which is what SSL_clear() already did anyway. In fact, I think those
other cases are *entirely* redundant; even the setting of s->version.
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 4ca6bb3..626cecb 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -273,7 +273,7 @@ void dtls1_clear(SSL *s)
ssl3_clear(s);
if (s->options & SSL_OP_CISCO_ANYCONNECT)
- s->version = DTLS1_BAD_VER;
+ s->client_version = s->version = DTLS1_BAD_VER;
else if (s->method->version == DTLS_ANY_VERSION)
s->version = DTLS1_2_VERSION;
else
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150218/7218c1a9/attachment.bin>
More information about the openssl-dev
mailing list