[openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher
David Woodhouse
dwmw2 at infradead.org
Fri Jul 8 22:25:39 UTC 2016
On Fri, 2016-07-08 at 23:59 +0200, Kurt Roeckx wrote:
>
> Can you describe how DTLS1_BAD_VER is supposed to work? Is this
> version send over the wire? Is it negotiated?
It does indeed appear on the wire.
In the AnyConnect/OpenConnect case — which, as you rightly observe, is
the only remaining user of this version of the protocol — it's not
actually negotiated in the normal sense at all; we "resume" a session
having established the master secret and session-id over a separate
channel.
http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/dtls.c#l157
> We have no test suite coverage doing anything with DTLS1_BAD_VER
> and I think the OpenConnect VPN is the only user of it.
Yeah, test coverage would be useful... I'm not sure how complete our
*server* side support of DTLS1_BAD_VER is. I did start looking at it
briefly once, but got distracted. I'll have another look.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160708/9c08b8fd/attachment.bin>
More information about the openssl-dev
mailing list