[openssl-dev] [openssl.org #3703] 1.0.2 regression with Cisco DTLS_BAD_VER
David Woodhouse
dwmw2 at infradead.org
Wed Feb 18 17:24:15 UTC 2015
On Wed, 2015-02-18 at 10:43 -0600, Short, Todd wrote:
> The Cisco ASA uses hardware-assist for IPSec/TLS/SSL/DTLS, and most of
> that work was done before DTLS was standardized. This is also the
> reason why Cisco ASA support for TLSv1.1/v1.2 is a long time coming.
> The Cisco ASA VPN team is very small, and they’ve lost people on the
> VPN team recently.
It might be interesting to see if that kind of offload is still
worthwhile, given the rate at which modern CPUs can do AES-GCM.
> The Cisco ASA has recently updated to OpenSSL 1.0.1 (right before
> Heartbleed broke out), so it really depends on what version of the ASA
> code you are running.
I still haven't seen any version of the ASA using anything but
DTLS1_BAD_VER so far.
We do use DTLS1.2 and AES-GCM with ocserv, but not the Cisco ASA.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150218/47673b1f/attachment-0001.bin>
More information about the openssl-dev
mailing list