[openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher
David Woodhouse
dwmw2 at infradead.org
Mon Jul 25 15:29:49 UTC 2016
On Fri, 2016-07-08 at 23:59 +0200, Kurt Roeckx wrote:
>
> We have no test suite coverage doing anything with DTLS1_BAD_VER
> and I think the OpenConnect VPN is the only user of it.
I added a basic test in PR #1296. It just simulates the basic session
resume and — since it seemed relatively trivial to add while I was at
it — out-of-order packet RX:
https://github.com/openssl/openssl/pull/1296/commits/9538be65
This test catches all the bugs that the pull request fixes, and also
tests the session resume method that OpenConnect uses, of manually
building the ASN.1 with the session details and then using
d2i_SSL_SESSION().
It validates the handshake MAC, which is different for DTLS1_BAD_VER
because it doesn't include the handshake message headers.
It also checks the handling of the 3-byte Change Cipher Spec message,
in both directions.
I'm currently trying to stop it whining about DTLSv1_client_method()
being deprecated; I can't see how to make it work using
DTLS_client_method().
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160725/229324f3/attachment-0001.bin>
More information about the openssl-dev
mailing list