On 16/02/15 17:33, David Woodhouse wrote: > On Mon, 2015-02-16 at 13:25 +0000, Matt Caswell wrote: >> That sounds like a bug. I can't think of a reason why this should >> exclude DTLS. > > This fixes it to work with DTLS1_BAD_VER too: > > diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c > index 3eaee1d..6e20a1f 100644 > --- a/ssl/ssl_asn1.c > +++ b/ssl/ssl_asn1.c > @@ -396,7 +396,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const > unsigned char **pp, > os.data = NULL; > os.length = 0; > M_ASN1_D2I_get_x(ASN1_OCTET_STRING, osp, d2i_ASN1_OCTET_STRING); > - if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR) { > + if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR || > + ssl_version == DTLS1_BAD_VER) { > if (os.length != 2) { > c.error = SSL_R_CIPHER_CODE_WRONG_LENGTH; > c.line = __LINE__; > >>> So I'm going to need to fix *something* in OpenSSL HEAD to make this >>> work again. Should I do the minimal "fix" to make d2i_SSL_SESSION() work >>> for DTLS1_BAD_VER, or introduce a new API for setting the fields we need >>> to fake a session resume? >>> >> >> What fields do you need access to? It would be good if you could >> document them on the wiki page here: >> https://wiki.openssl.org/index.php/1.1_API_Changes > > I've updated > https://wiki.openssl.org/index.php/1.1_API_Changes#Things_that_Broke_in_OpenConnect > > I can either update my code to create the ASN.1 for itself and use > d2i_SSL_SESSION() relying on the patch above, or I can implement the > 'alternative' new function if that's preferred. >
Ok. Thanks. I'll take a look at this and see what can be done. Matt _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev