> Good to know. I don't think we would want to use this as a "permanent"
> solution, however, since the intent of PSK-NEGOTIATE is that it will, well,
> "negotiate" the desired version of DTLS.
Indeed. Hence my further test.
> That's confusing! generate_dtls_session should definitely be setting the
> session_id in this case.
>
> It *seems* like the right fix should be to use DTLS_ANY_VERSION.
> You're saying that the following *does not work*?
>
> diff --git a/openssl-dtls.c b/openssl-dtls.c index 76bcd2f1..6501d8d8 100644
> --- a/openssl-dtls.c
> +++ b/openssl-dtls.c
> @@ -560,7 +560,8 @@ int start_dtls_handshake(struct openconnect_info
> *vpninfo, int dtls_fd)
> * and isn't actually going to be resumed at all.
> */
> const uint8_t cs[2] = {0x00, 0x2F}; /* RSA-AES-128 */work
> - dtls_session = generate_dtls_session(vpninfo, DTLS1_VERSION,
> + dtls_session = generate_dtls_session(vpninfo,
> + DTLS_ANY_VERSION,
>
> SSL_CIPHER_find(dtls_ssl, cs),
> 1);
> if (!dtls_session) {
Correct, that does not work. I single-stepped through generate_dtls_session()
and
there is definitely a session ID being created and added, using the dtls_app_id
from vpninfo.
Then we go back to start_dtls_handshake(), which calls dtls_try_handshake(),
which
calls SSL_do_handshake().
SSL_do_handshake() fails with SSL_ERROR_WANT_READ, presumably because
ocserv ignores the ClientHello with no session ID. ocserv doesn't even log an
error.
MV
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
