[openssl-dev] [openssl.org #3711] [RFC PATCH] 1.0.2 regresssion: Wrong SSL version in DTLS_BAD_VER ClientHello
David Woodhouse via RT
rt at openssl.org
Wed Feb 18 10:26:12 UTC 2015
Or maybe we should deprecate SSL_OP_CISCO_ANYCONNECT. It would be
cleaner to support it this way instead:
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 151dd47..d4a2d15 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -133,7 +133,9 @@ static int dtls1_get_hello_verify(SSL *s);
static const SSL_METHOD *dtls1_get_client_method(int ver)
{
- if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
+ if (ver == DTLS1_BAD_VER)
+ return (DTLSv0_9_client_method());
+ else if (ver == DTLS1_VERSION)
return (DTLSv1_client_method());
else if (ver == DTLS1_2_VERSION)
return (DTLSv1_2_client_method());
@@ -141,6 +143,12 @@ static const SSL_METHOD *dtls1_get_client_method(int ver)
return (NULL);
}
+IMPLEMENT_dtls1_meth_func(DTLS1_BAD_VER,
+ DTLSv0_9_client_method,
+ ssl_undefined_function,
+ dtls1_connect,
+ dtls1_get_client_method, DTLSv1_enc_data)
+
IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
DTLSv1_client_method,
ssl_undefined_function,
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 13fb053..6a559b7 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1611,6 +1611,11 @@ const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */
const SSL_METHOD *TLSv1_2_server_method(void); /* TLSv1.2 */
const SSL_METHOD *TLSv1_2_client_method(void); /* TLSv1.2 */
+/* For reasons not entirely clear to anyone, Cisco still uses this
+ * in their AnyConnect VPN and haven't managed to update even to
+ * DTLS v1.0. So we still need to support it for compatibility */
+const SSL_METHOD *DTLSv0_9_client_method(void); /* pre-OpenSSL 0.9.8f */
+
const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */
const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */
const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150218/00087bfd/attachment-0001.bin>
More information about the openssl-dev
mailing list