Hi Ghennadi, Thanks for your effort, but I'm not sure about the benefits of this patch. As far as I know DTLS1_BAD_VER is only a hack to support Cisco's AnyConnect VPN servers, and it's not backed by the DTLS specification. Is Cisco still using the wrong version or did they fix that? Is there any other software that also uses DTLS1_BAD_VER? Why would running a server supporting DTLS1_BAD_VER be desirable?
My main concerns are that it's not supported by the DTLS specification and should therefore not be used at all, and there are so many considerations in the code for DTLS1_BAD_VER already. Best regards Robin On Jun 28, 2012, at 9:45 AM, Ghennadi Procopciuc wrote: > Hello All, > > We observed that the current implementation contains a client that can > communicate with a DTLS1_BAD_VER server but does not contains the server that > can communicate with a DTLS1_BAD_VER client, so we wrote a patch that enables > OpenSSL to negotiate DTLS1_BAD_VER with itself. > > Changes (all in [d1_srvr.c] ) : > > 1. The server accepts a ClientHello from a client that uses DTLS1_BAD_VER. > 2. The server responds to a client that uses DTLS1_BAD_VER. > 3. Disable sending TLS extensions to DTLS1_BAD_VER clients. > > Is there interest in this patch ? > > Thanks, > Ghennadi > > <dtls1_bad_ver-server.patch> ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
