[openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher
Kurt Roeckx
kurt at roeckx.be
Fri Jul 8 21:59:28 UTC 2016
On Fri, Jul 08, 2016 at 05:43:21PM +0100, David Woodhouse wrote:
>
> This broke the OpenConnect VPN client, which now fails thus:
>
> DTLS handshake failed: 1
> 67609664:error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available:ssl/statem/statem_clnt.c:927:
>
> I tried the naïvely obvious step of changing all instances of
> DTLS1_VERSION as the minimum, to DTLS1_BAD_VER. That didn't help.
Can you describe how DTLS1_BAD_VER is supposed to work? Is this
version send over the wire? Is it negotiated?
We have no test suite coverage doing anything with DTLS1_BAD_VER
and I think the OpenConnect VPN is the only user of it.
Kurt
More information about the openssl-dev
mailing list