[openssl-dev] DTLS_BAD_VER regression fixes for 1.0.2 and HEAD
David Woodhouse
dwmw2 at infradead.org
Tue Mar 3 14:28:09 UTC 2015
On Tue, 2015-03-03 at 12:00 +0000, Matt Caswell wrote:
>
> > I'll look at adding test cases to exercise the DTLS_BAD_VER support,
> to
> > try to avoid this kind of thing happening in future.
> >
>
> That would be fantastic to have.
I look a quick look at this. Adding DTLSv1 and DTLSv1.2 support to
ssl/ssltest.c isn't particularly hard, but we don't actually *have*
server support for DTLS1_BAD_VER.
I suppose I could fix it up, but it doesn't seem to make a lot of sense.
It's the wrong thing to test against *anyway* since there are plenty of
failure modes in which a regression could be introduced in generic code
and OpenSSL would remain compatible with *itself* anyway.
So I'm torn between doing a minimal reimplementation of the server side
and making OpenSSL talk to that, or a dirty replay attack such as the
one I had when I was first working it out:
http://david.woodhou.se/dtls-test.c
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150303/10d123a7/attachment.bin>
More information about the openssl-dev
mailing list