I single-stepped through start_dtls_handshake() and I can see that we end up at line 520 in openssl-dtls.c, where generate_dtls_session() is called with DTLS1_VERSION for the dtlsver argument.
So that explains why the ClientHello has version 1.0 record/1.0 handshake. I don't understand why ocserv has an issue with that, but that's not really relevant to what I'm trying to do. I replaced DTLS1_VERSION with DTLS1_2_VERSION and the handshake succeeds. The ClientHello has version 1.2 record/1.2 handshake though, which is not the same as with GnuTLS. Then I replaced DTLS1_VERSION with DTLS_ANY_VERSION and that does not work. The ClientHello has version 1.0 record/1.2 handshake, same as GnuTLS, but is missing the session ID, has truncated cipher list, etc. Is the hard-coding of DTLS1_VERSION expected? MV _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
