[openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher
David Woodhouse
dwmw2 at infradead.org
Mon Jul 25 17:20:18 UTC 2016
On Mon, 2016-07-25 at 16:29 +0100, David Woodhouse wrote:
> I'm currently trying to stop it whining about DTLSv1_client_method()
> being deprecated; I can't see how to make it work using
> DTLS_client_method().
The SSL_OP_CISCO_ANYCONNECT hack doesn't work so well with
DTLS_client_method. Instead of there being one simple place where we
can set s->client_version = s->version = DTLS1_BAD_VER, we'd end up
having to play silly buggers in quite a few places. So I figured I
should probably just do it properly with support for DTLS1_BAD_VER, as
below.
Although arguably, if I've used SSL_set_session() such that
s->session->ssl_version == DTLS1_BAD_VER, that should have been
honoured.
Two new commits at the tip of PR#1296 for comment...
https://github.com/openssl/openssl/pull/1296/commits/a1c341f7
(Make DTLS1_BAD_VER work with DTLS_client_method())
https://github.com/openssl/openssl/pull/1296/commits/41800497
(Honour SSL version in SSL_set_session()).
Not entirely sure if those are the best approach... but hey, you have a
test case now :)
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160725/b46d2799/attachment.bin>
More information about the openssl-dev
mailing list