On 16/02/15 12:45, David Woodhouse wrote: > The Cisco AnyConnect VPN protocol establishes a connection over HTTPS > and negotiates parameters (cipher, master secret & session ID) for a > DTLS connection which is then "resumed". > > The OpenConnect VPN client handles this by using SSL_SESSION_new(), > manually setting the appropriate fields in the structure, and then using > SSL_set_session(). This code can be seen at > http://git.infradead.org/users/dwmw2/openconnect.git/blob/fa5cea08:/dtls.c#l147 > > Commit b6ba401497 in OpenSSL broke this, because the SSL_SESSION became > opaque — with no alternative method that I can see to do what's needed. > > I played with manually creating the ASN.1 representation of a session > and feeding it to d2i_SSL_SESSION() but that fails because ssl_version > is 0x100 (DTLS1_BAD_VER) and d2i_SSL_SESSION() only works if the SSL > version major is >= SSL3_VERSION_MAJOR.
That sounds like a bug. I can't think of a reason why this should exclude DTLS. > > So I'm going to need to fix *something* in OpenSSL HEAD to make this > work again. Should I do the minimal "fix" to make d2i_SSL_SESSION() work > for DTLS1_BAD_VER, or introduce a new API for setting the fields we need > to fake a session resume? > What fields do you need access to? It would be good if you could document them on the wiki page here: https://wiki.openssl.org/index.php/1.1_API_Changes Send an email to wiki-ad...@opensslfoundation.com with your preferred username and I can set you up with access. Matt _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
