[openssl-dev] [openssl.org #3703] 1.0.2 regression with Cisco DTLS_BAD_VER
Kurt Roeckx via RT
rt at openssl.org
Wed Feb 18 17:09:34 UTC 2015
On Wed, Feb 18, 2015 at 11:34:43AM +0000, David Woodhouse wrote:
> On Tue, 2015-02-17 at 22:48 +0100, David Woodhouse via RT wrote:
> > Commit 9cf0f187 in HEAD, and 68039af3 in 1.0.2, removed a version check
> > from dtls1_buffer_message() which was needed to distinguish between DTLS
> > 1.x and Cisco's pre-standard version of DTLS.
>
> Further testing shows that simply reverting the offending commit isn't
> sufficient -- as the commit comment hinted. We need to treat DTLS v1.2
> the same as DTLS v1.0. So invert it to check explicitly for
> DTLS1_BAD_VER instead. And in fact we might as well clean it up a little
> to look like this:
I previously mailed something to that effect to rt@, but that
seems to not have made it.
Anyway, I'm wondering about that assert. Is this something a the
other side could potentionally trigger, and so be a remote DoS? I
think you showed that you ran into it. If that's the case
wouldn't it be better to generate an error instead?
Kurt
More information about the openssl-dev
mailing list